CIS RAM v2.1 For IG2 Workbook 23.03

CIS RAM v2.
1 for IG2
The CIS RAM for IG2 Workbook protects most cells in the Risk Register and lookup t
accidentally changing the formulas and lookups that automate the risk analysis and m
If users are confident in their use of Microsoft® Excel and wish to modify values, such
Criteria, they may “unprotect” the document by going to the “Review” tab in the Excel
“Unprotect sheet” button. However, guidance for maintenance of the Workbook, form
cells is beyond the scope of this document.
r IG2
ster and lookup tables to prevent users from
k analysis and make it simple.
dify values, such as Risk Acceptance

tab in the Excel menu and selecting the
Workbook, formulas, lookups, and protected
Remember to download the CIS Critical Security Controls (CIS Controls) Version 8 Guide where you can learn more about:
• This Version of the CIS Controls
• The CIS Controls Ecosystem ("It's not about the list")
• How to Get Started
• Using or Transitioning from Prior Versions of the CIS Controls
• Structure of the CIS Controls
• Implementation Groups
• Why is this Control critical
• Procedures and Tools
https://www.cisecurity.org/controls/v8/
This is a free tool with a dynamic list of the CIS Safeguards that can be filtered by Implementation Groups and mappings to multiple
frameworks.
https://www.cisecurity.org/controls/v8
Join our Community where you can discuss the CIS Controls with our global army of experts and volunteers!
https://workbench.cisecurity.org/dashboard
CIS CSAT (Controls Self Assessment Tool)
Overview: The CIS Controls® Self Assessment Tool, also known as CIS CSAT, enables organizations to assess and track their
implementation of the CIS Controls for Versions 8 and 7.1. The CIS Controls are a prioritized set of consensus-developed security best
practices used by organizations around the world to defend against cyber threats.
TWO TYPES:
CIS-Hosted CSAT: The CIS-hosted version of CIS CSAT is free to every organization for use in a non-commercial capacity to conduct
CIS Controls assessments of their organization. (released January 2019)
https://csat.cisecurity.org/
CIS CSAT Pro: The on-premises version of CIS CSAT is available exclusively for CIS SecureSuite Members. This version offers
additional features and benefits: Save time by using a simplified scoring method with a reduced number of questions, Decide whether to
opt in to share data and see how scores compare to industry average, Greater flexibility with organization trees for tracking
organizations, sub-organizations, and assessments, Assign users to different roles for different organizations/sub-organizations as well
as greater separation of administrative and non-administrative roles, Track multiple concurrent assessments in the same organization,
Easily access your tasks, assessments, and organizations from a consolidated home page, Includes CIS Controls Safeguard mappings
to NIST CSF, NIST SP 800-53, and PCI. (released August 2020)
https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat/
Prompt
How would you concisely describe the benefit that your
1 Mission enterprise provides your customers, clients, constituents, or the
public? This is why they engage in this risk with you.
Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Describe i
determine that the impacts to your mission were acceptable, or unacceptable.
Impact Magnitude Prompt

What observable evidence would you have that your mission - as
Negligible
you defined it above - would be unaffected?
What observable evidence would you have that your mission
Acceptable
would be compromised, but it would not require correction?
would be compromised in a way that would require correction,
Unacceptable
but the correction could be achieved through the normal course
of business?
High would be compromised so badly that extraordinary efforts would
be required to restore it?

Catastrophic
would be compromised so badly that it could not be achieved?
Prompt
Operational What business or organizational goals does the enterprise

2 attempt to achieve?
Objectives
determine that the impacts to your operational objectives were acceptable, or unacceptable.

What observable evidence would you have that your operational
Negligible
objectives - as you defined them above - would be unaffected?

Acceptable objectives would be compromised, but it would not require
correction?
objectives would be compromised in a way that would require
Unacceptable
correction, but the correction could be achieved through the
normal course of business?
High objectives would be compromised so badly that extraordinary
efforts would be required to restore them?
Catastrophic objectives would be compromised so badly that they could not be
achieved?
Prompt
What are the unexpected cost outlays that your enterprise could
3 Financial Objectives or could not tolerate?
determine that the impacts to your financial objectives were acceptable, or unacceptable.

What observable evidence would you have that your financial
Negligible

Acceptable objectives would be compromised, but it would not require
correction?
Unacceptable
correction, but the correction could be achieved through the
normal course of business?
High objectives would be compromised so badly that extraordinary
efforts would be required to restore them?
Catastrophic Leave this blank
Prompt
What harm may foreseeably come to others as a result of a

4 Obligations cybersecurity incident?
determine that the impacts to your obligations (harm, to others) were acceptable, or unacceptable.

Negligible Describe a condition where others would not be harmed.
Describe a condition where others would not be harmed to a

Acceptable
degree that required correction or compensation.
Describe a condition where one or few others would be harmed

Unacceptable
to a degree that you could correct.
Describe a condition where many others would be harmed to a
degree that you could correct, or where few others are harmed to
High
a degree that others would always have a small degree of
impairment.
Catastrophic Describe a condition where others would be irreparably harmed.
Response
ecurity incident. Describe in the spaces provided below how you would
Response
The mission would remain intact.
This mission would not be perfectly achieved, but could be
recovered within normal operations.
This mission would not be achieved, and would require short-

term, unplanned efforts, resources, or investments to recover.
This mission would not be achieved. If significant, unplanned

efforts, resources, or investments are not made, the mission
may not ever be achievable.
The mission would not be achievable.
Response
ceptable.
Response
Growth plan would be intact.
Growth plan would be off target, but within variance.
Growth plan would be out of variance, but can be recovered

within a fiscal year.
Growth plan would be out of variance, and may require multiple

years to correct.
We would not be able to grow.
Response
ptable.
Response
Response
or unacceptable.
Response
No harm could foreseeably result.
Any harm that could result would not require correction, repair,
or compensation to make the harmed parties "whole."
Correctible harm may occur to one or few others.
Correctible harm may occur to many others, or harm that can be

partially corrected for a few others may occur.
We would not be able to protect others from any degree of
harm.
1 Enterprise Risk Assessment Criteria
2 Impact Criteria
Impact Scores
Definition
1. Negligible
2. Acceptable
3. Unacceptable
4. High
5. Catastrophic
3 Expectancy Criteria
Expectancy Score
1
4 Risk Acceptance Criteria
We would start to invest against risks to prevent

this expectancy and impact, or higher.
5 Inherent Risk Criteria
Asset Class
Enterprise
Devices
Applications
Data
Network
Users
Enterprise Name
Scope
Last Completed (Date)
Mission Operational Objectives
The mission would remain intact. Growth plan would be intact.
This mission would not be perfectly achieved,

Growth plan would be off target, but within
but could be recovered within normal
variance.
operations.
This mission would not be achieved, and would

Growth plan would be out of variance, but
require short-term, unplanned efforts,
can be recovered within a fiscal year.
resources, or investments to recover.
This mission would not be achieved. If
significant, unplanned efforts, resources, or Growth plan would be out of variance, and
investments are not made, the mission may not may require multiple years to correct.
ever be achievable.
The mission would not be achievable. We would not be able to grow.
Expectancy Criteria
Safeguard would reliably prevent the
Remote
threat.
Safeguard would reliably prevent most
Unlikely
occurrences of the threat.
Safeguard would prevent as many threat
As likely as not
occurrences as it would miss.
Safeguard would prevent few threat
Likely
occurrences.
Safeguard would not prevent threat
Certain
occurrences.
Expectancy Impact
Acceptable Risk is less than … 0

What is the highest impact to the Mission, Operational Objectives, Financial Objectives, and Obligations that each Asset Type c
The "Enterprise" Asset Class will automatically use the highest Impact Score you provide for the assets below.
Mission Impact Operational Objectives Impact

Financial Objectives Obligations
No harm could foreseeably result.

Any harm that could result would not
require correction, repair, or
compensation to make the harmed
parties "whole."
Correctible harm may occur to one or

few others.
Correctible harm may occur to many

others, or harm that can be partially
corrected for a few others may occur.
We would not be able to protect others

from any degree of harm.
ectives, and Obligations that each Asset Type could cause?
provide for the assets below.
Financial Objectives Impact Obligations Impact

Enterprise Name
Enterprise Risk Scope
Assessment Criteria Last Completed (Date)
Risk Register Risk Analysis
Asset Class Asset Name CIS Safeguard #
Applications 2.1
Applications 2.2
Applications 2.3
Applications 2.4
Applications 2.6
Applications 3.1
Applications 3.2
Applications 3.4
Applications 3.5
Applications 3.6
Applications 3.7
Applications 5.1
Applications 5.2
Applications 5.3
Applications 5.4
Applications 5.5
Applications 7.1
Applications 7.2
Applications 7.3
Data 10.1
Data 10.2
Data 10.3
Data 10.4
Data 10.5
Data 13.1
Data 13.2
Data 13.4
Data 13.6
Data 13.7
Data 14.4
Data 14.6
Devices 1.1
Devices 1.3
Devices 1.4
Devices 1.5
Devices 1.6
Devices 1.7
Devices 8.1
Devices 8.2
Devices 8.3
Devices 8.4
Devices 8.5
Devices 8.6
Devices 8.8
Devices 9.1
Devices 9.2
Devices 9.3
Devices 9.4
Devices 15.6
Devices 15.9
Enterprise 17.1
Enterprise 17.2
Enterprise 17.3
Enterprise 17.4
Enterprise 17.5
Enterprise 17.6
Enterprise 17.7
Enterprise 17.8
Enterprise 17.9
Enterprise 18.1
Enterprise 18.2
Enterprise 18.3
Enterprise 18.4
Enterprise 18.5
Enterprise 18.6
Enterprise 18.7
Enterprise 18.8
Enterprise 18.9
Enterprise 18.10
Enterprise 18.11
Enterprise 19.1
Enterprise 19.2
Enterprise 19.3
Enterprise 19.4
Enterprise 19.5
Enterprise 19.6
Enterprise 19.7
Enterprise 20.1
Enterprise 20.2
Enterprise 20.4
Enterprise 20.5
Enterprise 20.6
Enterprise 20.8
Network 6.1
Network 6.2
Network 6.3
Network 6.4
Network 6.5
Network 6.6
Network 6.7
Network 7.4
Network 7.5
Network 7.6
Network 7.7
Network 7.8
Network 7.9
Network 8.7
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.8
Network 14.1
Network 14.2
Network 14.3
Network 15.1
Network 15.2
Network 15.3
Network 15.7
Network 15.10
Users 3.3
Users 4.1
Users 4.2
Users 4.3
Users 4.4
Users 4.5
Users 4.6
Users 4.7
Users 4.8
Users 4.9
Users 12.11
Users 16.1
Users 16.2
Users 16.3
Users 16.4
Users 16.5
Users 16.6
Users 16.7
Users 16.8
Users 16.9
Users 16.10
Users 16.11
Users 16.12
NIST CSF Security
CIS Safeguard Title IG1 IG2 Our Implementation
Function
Maintain Inventory of Authorized

x x Identify
Software
Ensure Software is Supported by

x x Identify
Vendor
Utilize Software Inventory Tools x Identify
Track Software Inventory Information x Identify
Address unapproved software x x Respond
Run Automated Vulnerability

x Detect
Scanning Tools
Perform Authenticated Vulnerability

x Detect
Scanning
Deploy Automated Operating System

x x Protect
Patch Management Tools
Deploy Automated Software Patch

x x Protect
Management Tools
Compare Back-to-Back Vulnerability

x Respond
Scans
Utilize a Risk-Rating Process x Respond
Establish Secure Configurations x x Protect
Maintain Secure Images x Protect

Securely Store Master Images x Protect
Deploy System Configuration

x Protect
Management Tools
Implement Automated Configuration

x Detect
Monitoring Systems
Ensure Use of Only Fully Supported

x x Protect
Browsers and Email Clients
Disable Unnecessary or
Unauthorized Browser or Email x Protect
Client Plugins
Limit Use of Scripting Languages in

x Protect
Web Browsers and Email Clients
Ensure Regular Automated BackUps x x Protect
Perform Complete System Backups x x Protect
Test Data on Backup Media x Protect
Protect Backups x x Protect
Ensure All Backups Have at Least

x x Protect
One Offline Backup Destination
Maintain an Inventory of Sensitive

x x Identify
Information
Remove Sensitive Data or Systems

Not Regularly Accessed by x x Protect
Organization
Only Allow Access to Authorized

x Protect
Cloud Storage or Email Providers
Encrypt Mobile Device Data x x Protect
Manage USB Devices x Protect
Encrypt All Sensitive Information in

x Protect
Transit
Protect Information Through Access

x x Protect
Control Lists
Utilize an Active Discovery Tool x Identify

Use DHCP Logging to Update Asset
x Identify
Inventory
Maintain Detailed Asset Inventory x x Identify
Maintain Asset Inventory Information x Identify
Address Unauthorized Assets x x Respond
Deploy Port Level Access Control x Protect
Utilize Centrally Managed Anti-

x Protect
malware Software
Ensure Anti-Malware Software and
x x Protect
Signatures Are Updated
Enable Operating System Anti-

Exploitation Features/Deploy Anti- x Protect
Exploit Technologies
Configure Anti-Malware Scanning of

x x Detect
Removable Devices
Configure Devices to Not Auto-Run
x x Protect
Content
Centralize Anti-Malware Logging x Detect
Enable Command-Line Audit
x Detect
Logging
Associate Active Ports, Services,
x Identify
and Protocols to Asset Inventory
Ensure Only Approved Ports,

x Protect
Protocols, and Services Are Running
Perform Regular Automated Port

x Detect
Scans
Apply Host-Based Firewalls or Port-

x x Protect
Filtering
Disable Peer-to-Peer Wireless

Network Capabilities on Wireless x Protect
Clients
Disable Wireless Peripheral Access
x Protect
of Devices
Perform a Skills Gap Analysis x N/A
Deliver Training to Fill the Skills Gap x N/A

Implement a Security Awareness
x x N/A
Program
Update Awareness Content

x N/A
Frequently
Train Workforce on Secure

x x N/A
Authentication
Train Workforce on Identifying Social
x x N/A
Engineering Attacks
Train Workforce on Sensitive Data
x x N/A
Handling
Train Workforce on Causes of

x x N/A
Unintentional Data Exposure
Train Workforce Members on

x x N/A
Identifying and Reporting Incidents
Establish Secure Coding Practices x N/A
Ensure That Explicit Error Checking

is Performed for All In-House x N/A
Developed Software
Verify That Acquired Software is Still

x N/A
Supported
Only Use Up-to-Date and Trusted

x N/A
Third-Party Components
Use Only Standardized and
Extensively Reviewed Encryption x N/A
Algorithms
Ensure Software Development
Personnel are Trained in Secure x N/A
Coding
Apply Static and Dynamic Code
x N/A
Analysis Tools
Establish a Process to Accept and
Address Reports of Software x N/A
Vulnerabilities
Separate Production and Non-
x N/A
Production Systems
Deploy Web Application Firewalls x N/A
Use Standard Hardening

Configuration Templates for x N/A
Databases
Document Incident Response
x x N/A
Procedures
Assign Job Titles and Duties for

x N/A
Incident Response
Designate Management Personnel to

x x N/A
Support Incident Handling
Devise Organization-wide Standards

x N/A
for Reporting Incidents
Maintain Contact Information For

x x N/A
Reporting Security Incidents
Publish Information Regarding

Reporting Computer Anomalies and x x N/A
Incidents
Conduct Periodic Incident Scenario

x N/A
Sessions for Personnel
Establish a Penetration Testing

x N/A
Program
Conduct Regular External and
x N/A
Internal Penetration Tests
Include Tests for Presence of

Unprotected System Information and x N/A
Artifacts
Create Test Bed for Elements Not

x N/A
Typically Tested in Production
Use Vulnerability Scanning and

x N/A
Penetration Testing Tools in Concert
Control and Monitor Accounts

x N/A
Associated with Penetration Testing
Utilize Three Synchronized Time

x Detect
Sources
Activate Audit Logging x x Detect
Enable Detailed Logging x Detect
Ensure Adequate Storage for Logs x Detect
Central Log Management x Detect

Deploy SIEM or Log Analytic Tools x Detect
Regularly Review Logs x Detect
Maintain and Enforce Network-

x Protect
Based URL Filters
Subscribe to URL-Categorization
x Protect
Service
Log All URL requester x Detect
Use of DNS Filtering Services x x Protect
Implement DMARC and Enable

x Protect
Receiver-Side Verification
Block Unnecessary File Types x Protect
Enable DNS Query Logging x Detect

Maintain Standard Security
x Identify
Configurations for Network Devices
Document Traffic Configuration

x Identify
Rules
Use Automated Tools to Verify

Standard Device Configurations and x Detect
Detect Changes
Install the Latest Stable Version of
Any Security-Related Updates on All x x Protect
Network Devices
Manage Network Devices Using
Multi-Factor Authentication and x Protect
Encrypted Sessions
Use Dedicated Machines For All

x Protect
Network Administrative Tasks
Manage Network Infrastructure

x Protect
Through a Dedicated Network
Maintain an Inventory of Network

x x Identify
Boundaries
Scan for Unauthorized Connections

x Protect
Across Trusted Network Boundaries
Deny Communications With Known
x Protect
Malicious IP Addresses
Deny Communication Over

x x Detect
Unauthorized Ports
Configure Monitoring Systems to

x Detect
Record Network Packets
Deploy Network-Based IDS Sensors x Detect
Deploy NetFlow Collection on

x Protect
Networking Boundary Devices
Segment the Network Based on

x Protect
Sensitivity
Enable Firewall Filtering Between

x Protect
VLANs
Disable Workstation to Workstation

x Protect
Communication
Maintain an Inventory of Authorized

x Identify
Wireless Access Points
Detect Wireless Access Points

x Detect
Connected to the Wired Network
Use a Wireless Intrusion Detection
x Detect
System
Leverage the Advanced Encryption
Standard (AES) to Encrypt Wireless x x Protect
Data
Create Separate Wireless Network

x x Protect
for Personal and Untrusted Devices
Protect Dedicated Assessment

x Protect
Accounts
Maintain Inventory of Administrative

x Detect
Accounts
Change Default Passwords x x Protect
Ensure the Use of Dedicated

x x Protect
Administrative Accounts
Use Unique Passwords x Protect
Use Multi-Factor Authentication for

x Protect
All Administrative Access
Use Dedicated Workstations For All
x Protect
Administrative Tasks
Limit Access to Script Tools x Protect
Log and Alert on Changes to

x Detect
Administrative Group Membership
Log and Alert on Unsuccessful
x Detect
Administrative Account Login
Require All Remote Login to Use
x Detect
Multi-Factor Authentication
Maintain an Inventory of
x Identify
Authentication Systems
Configure Centralized Point of
x Protect
Authentication
Require Multi-Factor Authentication x Protect
Encrypt or Hash all Authentication
x Protect
Credentials
Encrypt Transmittal of Username
x Protect
and Authentication Credentials
Maintain an Inventory of Accounts x Identify
Establish Process for Revoking

x Protect
Access
Disable Any Unassociated Accounts x x Respond

Disable Dormant Accounts x x Respond
Ensure All Accounts Have An
x Protect
Expiration Date
Lock Workstation Sessions After
x x Protect
Inactivity
Monitor Attempts to Access
x Detect
Deactivated Accounts
Evidence of Safeguard Expectancy Impact to
Vulnerabilities VCDB Index
Implementation Maturity Score Score Mission
2
2
1
1
3
3
3
3
1
1
1
1
1
3
3
3
3
3
3
3
3
Risk Register
Impact to Impact to
Impact to
Operational Financial Risk Score Risk Level
Obligations
Objectives Objectives
Risk Treatment
Risk Treatment Option Risk Treatment Safeguard
2.1
2.2
2.3
2.4
2.6
3.1
3.2
3.4
3.5
3.6
3.7
5.1
5.2
5.3
5.4
5.5
7.1
7.2
7.3
10.1
10.2
10.3
10.4
10.5
13.1
13.2
13.4
13.6
13.7
14.4
14.6
1.1
1.3
1.4
1.5
1.6
1.7
8.1
8.2
8.3
8.4
8.5
8.6
8.8
9.1
9.2
9.3
9.4
15.6
15.9
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
18.6
18.7
18.8
18.9
18.1
18.11
19.1
19.2
19.3
19.4
19.5
19.6
19.7
20.1
20.2
20.4
20.5
20.6
20.8
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.4
7.5
7.6
7.7
7.8
7.9
8.7
11.1
11.2
11.3
11.4
11.5
11.6
11.7
12.1
12.2
12.3
12.4
12.5
12.6
12.8
14.1
14.2
14.3
15.1
15.2
15.3
15.7
15.10
3.3
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
12.11
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
Risk Treatment
Safeguard Title
Maintain Inventory of Authorized Software
Ensure Software is Supported by Vendor
Utilize Software Inventory Tools
Track Software Inventory Information
Address unapproved software
Run Automated Vulnerability Scanning Tools
Perform Authenticated Vulnerability Scanning
Deploy Automated Operating System Patch

Management Tools
Deploy Automated Software Patch Management

Tools
Compare Back-to-Back Vulnerability Scans
Utilize a Risk-Rating Process
Establish Secure Configurations
Maintain Secure Images

Securely Store Master Images
Deploy System Configuration Management Tools
Implement Automated Configuration Monitoring

Systems
Ensure Use of Only Fully Supported Browsers and

Email Clients
Disable Unnecessary or Unauthorized Browser or

Email Client Plugins
Limit Use of Scripting Languages in Web Browsers

and Email Clients
Ensure Regular Automated BackUps
Perform Complete System Backups
Test Data on Backup Media
Protect Backups
Ensure All Backups Have at Least One Offline Backup

Destination
Maintain an Inventory of Sensitive Information
Remove Sensitive Data or Systems Not Regularly

Accessed by Organization
Only Allow Access to Authorized Cloud Storage or

Email Providers
Encrypt Mobile Device Data
Manage USB Devices
Encrypt All Sensitive Information in Transit
Protect Information Through Access Control Lists
Utilize an Active Discovery Tool

Use DHCP Logging to Update Asset Inventory
Maintain Detailed Asset Inventory
Maintain Asset Inventory Information
Address Unauthorized Assets
Deploy Port Level Access Control
Utilize Centrally Managed Anti-malware Software

Ensure Anti-Malware Software and Signatures Are
Updated
Enable Operating System Anti-Exploitation

Features/Deploy Anti-Exploit Technologies
Configure Anti-Malware Scanning of Removable

Devices
Configure Devices to Not Auto-Run Content
Centralize Anti-Malware Logging
Enable Command-Line Audit Logging

Associate Active Ports, Services, and Protocols to
Asset Inventory
Ensure Only Approved Ports, Protocols, and Services

Are Running
Perform Regular Automated Port Scans
Apply Host-Based Firewalls or Port-Filtering
Disable Peer-to-Peer Wireless Network Capabilities

on Wireless Clients
Disable Wireless Peripheral Access of Devices
Perform a Skills Gap Analysis
Deliver Training to Fill the Skills Gap

Implement a Security Awareness Program
Update Awareness Content Frequently
Train Workforce on Secure Authentication

Train Workforce on Identifying Social Engineering
Attacks
Train Workforce on Sensitive Data Handling
Train Workforce on Causes of Unintentional Data

Exposure
Train Workforce Members on Identifying and

Reporting Incidents
Establish Secure Coding Practices
Ensure That Explicit Error Checking is Performed for

All In-House Developed Software
Verify That Acquired Software is Still Supported
Only Use Up-to-Date and Trusted Third-Party

Components
Use Only Standardized and Extensively Reviewed

Encryption Algorithms
Ensure Software Development Personnel are Trained

in Secure Coding
Apply Static and Dynamic Code Analysis Tools
Establish a Process to Accept and Address Reports of

Software Vulnerabilities
Separate Production and Non-Production Systems
Deploy Web Application Firewalls
Use Standard Hardening Configuration Templates for

Databases
Document Incident Response Procedures
Assign Job Titles and Duties for Incident Response
Designate Management Personnel to Support Incident

Handling
Devise Organization-wide Standards for Reporting

Incidents
Maintain Contact Information For Reporting Security

Incidents
Publish Information Regarding Reporting Computer

Anomalies and Incidents
Conduct Periodic Incident Scenario Sessions for

Personnel
Establish a Penetration Testing Program

Conduct Regular External and Internal Penetration
Tests
Include Tests for Presence of Unprotected System

Information and Artifacts
Create Test Bed for Elements Not Typically Tested in

Production
Use Vulnerability Scanning and Penetration Testing

Tools in Concert
Control and Monitor Accounts Associated with

Penetration Testing
Utilize Three Synchronized Time Sources
Activate Audit Logging
Enable Detailed Logging
Ensure Adequate Storage for Logs
Central Log Management

Deploy SIEM or Log Analytic Tools
Regularly Review Logs
Maintain and Enforce Network-Based URL Filters
Subscribe to URL-Categorization Service
Log All URL requester
Use of DNS Filtering Services
Implement DMARC and Enable Receiver-Side

Verification
Block Unnecessary File Types
Enable DNS Query Logging

Maintain Standard Security Configurations for Network
Devices
Document Traffic Configuration Rules
Use Automated Tools to Verify Standard Device

Configurations and Detect Changes
Install the Latest Stable Version of Any Security-

Related Updates on All Network Devices
Manage Network Devices Using Multi-Factor

Authentication and Encrypted Sessions
Use Dedicated Machines For All Network

Administrative Tasks
Manage Network Infrastructure Through a Dedicated

Network
Maintain an Inventory of Network Boundaries
Scan for Unauthorized Connections Across Trusted

Network Boundaries
Deny Communications With Known Malicious IP
Addresses
Deny Communication Over Unauthorized Ports
Configure Monitoring Systems to Record Network

Packets
Deploy Network-Based IDS Sensors
Deploy NetFlow Collection on Networking Boundary

Devices
Segment the Network Based on Sensitivity
Enable Firewall Filtering Between VLANs
Disable Workstation to Workstation Communication
Maintain an Inventory of Authorized Wireless Access

Points
Detect Wireless Access Points Connected to the

Wired Network
Use a Wireless Intrusion Detection System
Leverage the Advanced Encryption Standard (AES) to

Encrypt Wireless Data
Create Separate Wireless Network for Personal and

Untrusted Devices
Protect Dedicated Assessment Accounts
Maintain Inventory of Administrative Accounts
Change Default Passwords
Ensure the Use of Dedicated Administrative Accounts
Use Unique Passwords
Use Multi-Factor Authentication for All Administrative

Access
Use Dedicated Workstations For All Administrative
Tasks
Limit Access to Script Tools
Log and Alert on Changes to Administrative Group

Membership
Log and Alert on Unsuccessful Administrative Account
Login
Require All Remote Login to Use Multi-Factor
Authentication
Maintain an Inventory of Authentication Systems
Configure Centralized Point of Authentication
Require Multi-Factor Authentication
Encrypt or Hash all Authentication Credentials

Encrypt Transmittal of Username and Authentication
Credentials
Maintain an Inventory of Accounts
Establish Process for Revoking Access
Disable Any Unassociated Accounts

Disable Dormant Accounts
Ensure All Accounts Have An Expiration Date
Lock Workstation Sessions After Inactivity
Monitor Attempts to Access Deactivated Accounts

Risk Treatment Our Planned
Safeguard Description Implementation
Maintain an up-to-date list of all authorized software that is required in the enterprise
for any business purpose on any business system.
Ensure that only software applications or operating systems currently supported and
receiving vendor updates are added to the organization's authorized software
inventory. Unsupported software should be tagged as unsupported in the inventory
system.
Utilize software inventory tools throughout the organization to automate the
documentation of all software on business systems.
The software inventory system should track the name, version, publisher, and install
date for all software, including operating systems authorized by the organization.
Ensure that unauthorized software is either removed or the inventory is updated in a

timely manner
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant
vulnerability scanning tool to automatically scan all systems on the network on a
weekly or more frequent basis to identify all potential vulnerabilities on the
organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each
system or with remote scanners that are configured with elevated rights on the system
being tested.
Deploy automated software update tools in order to ensure that the operating systems
are running the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on
all systems is running the most recent security updates provided by the software
vendor.
Regularly compare the results from consecutive vulnerability scans to verify that
vulnerabilities have been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Maintain documented security configuration standards for all authorized operating
systems and software.
Maintain secure images or templates for all systems in the enterprise based on the
organization's approved configuration standards. Any new system deployment or
existing system that becomes compromised should be imaged using one of those
images or templates.
Store the master images and templates on securely configured servers, validated with
integrity monitoring tools, to ensure that only authorized changes to the images are
possible.
Deploy system configuration management tools that will automatically enforce and
redeploy configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration
monitoring system to verify all security configuration elements, catalog approved
exceptions, and alert when unauthorized changes occur.
Ensure that only fully supported web browsers and email clients are allowed to
execute in the organization, ideally only using the latest version of the browsers and
email clients provided by the vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on

applications.
Ensure that only authorized scripting languages are able to run in all web browsers
and email clients.
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system,
through processes such as imaging, to enable the quick recovery of an entire system.
Ensure that backups are properly protected via physical security or encryption when
they are stored, as well as when they are moved across the network. This includes
remote backups and cloud services.
Ensure that all backups have at least one offline (i.e., not accessible via a network
connection) backup destination.
Maintain an inventory of all sensitive information stored, processed, or transmitted by
the organization's technology systems, including those located on-site or at a remote
service provider.
Remove sensitive data or systems not regularly accessed by the organization from the
network. These systems shall only be used as stand-alone systems (disconnected
from the network) by the business unit needing to occasionally use the system or
completely virtualized and powered off until needed.
Only allow access to authorized cloud storage or email providers.

Utilize approved cryptographic mechanisms to protect enterprise data stored on all
mobile devices.
If USB storage devices are required, enterprise software should be used that can
configure systems to allow the use of specific devices. An inventory of such devices
should be maintained.
Encrypt all sensitive information in transit.
Protect all information stored on systems with file system, network share, claims,
application, or database specific access control lists. These controls will enforce the
principle that only authorized individuals should have access to the information based
on their need to access the information as a part of their responsibilities.
Utilize an active discovery tool to identify devices connected to the organization's

network and update the hardware asset inventory.
Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP
address management tools to update the organization's hardware asset inventory.
Maintain an accurate and up-to-date inventory of all technology assets with the
potential to store or process information. This inventory shall include all hardware
assets, whether connected to the organization's network or not.
Ensure that the hardware asset inventory records the network address, hardware
address, machine name, data asset owner, and department for each asset and
whether the hardware asset has been approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined, or
the inventory is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices
can authenticate to the network. The authentication system shall be tied into the
hardware asset inventory data to ensure only authorized devices can connect to the
network.
Utilize centrally managed anti-malware software to continuously monitor and defend
each of the organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and
signature database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address
Space Layout Randomization (ASLR) that are available in an operating system or
deploy appropriate toolkits that can be configured to apply protection to a broader set
of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of
removable media when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and
event log servers for analysis and alerting.
Enable command-line audit logging for command shells, such as Microsoft PowerShell
and Bash.
Associate active ports, services, and protocols to the hardware assets in the asset
inventory.
Ensure that only network ports, protocols, and services listening on a system with
validated business needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if
unauthorized ports are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny

rule that drops all traffic except those services and ports that are explicitly allowed.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field
Communication (NFC)], unless such access is required for a business purpose.
Perform a skills gap analysis to understand the skills and behaviors workforce
members are not adhering to, using this information to build a baseline education
roadmap.
Deliver training to address the skills gap identified to positively impact workforce
members' security behavior.
Create a security awareness program for all workforce members to complete on a
regular basis to ensure they understand and exhibit the necessary behaviors and skills
to help ensure the security of the organization. The organization's security awareness
program should be communicated in a continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at
least annually) to address new technologies, threats, standards, and business
requirements.
Train workforce members on the importance of enabling and utilizing secure
authentication.
Train the workforce on how to identify different forms of social engineering attacks,
such as phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and
destroy sensitive information.
Train workforce members to be aware of causes for unintentional data exposures,
such as losing their mobile devices or emailing the wrong person due to autocomplete
in email.
Train workforce members to be able to identify the most common indicators of an

incident and be able to report such an incident.
Establish secure coding practices appropriate to the programming language and

development environment being used.
For in-house developed software, ensure that explicit error checking is performed and
documented for all input, including for size, data type, and acceptable ranges or
formats.
Verify that the version of all software acquired from outside your organization is still
supported by the developer or appropriately hardened based on developer security
recommendations.
Only use up-to-date and trusted third-party components for the software developed by
the organization.
Use only standardized, currently accepted, and extensively reviewed encryption

algorithms.
Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being
adhered to for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including

providing a means for external entities to contact your security group.
Maintain separate environments for production and non-production systems.

Developers should not have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all
traffic flowing to the web application for common web application attacks. For
applications that are not web-based, specific application firewalls should be deployed
if such tools are available for the given application type. If the traffic is encrypted, the
device should either sit behind the encryption or be capable of decrypting the traffic
prior to analysis. If neither option is appropriate, a host-based web application firewall
should be deployed.
For applications that rely on a database, use standard hardening configuration
templates. All systems that are part of critical business processes should also be
tested.
Ensure that there are written incident response plans that define roles of personnel as
well as phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific
individuals, and ensure tracking and documentation throughout the incident through
resolution.
Designate management personnel, as well as backups, who will support the incident
handling process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators
and other workforce members to report anomalous events to the incident handling
team, the mechanisms for such reporting, and the kind of information that should be
included in the incident notification.
Assemble and maintain information on third-party contact information to be used to

report a security incident, such as Law Enforcement, relevant government
departments, vendors, and Information Sharing and Analysis Center (ISAC) partners.
Publish information for all workforce members, regarding reporting computer

anomalies and incidents, to the incident handling team. Such information should be
included in routine employee awareness activities.
Plan and conduct routine incident, response exercises and scenarios for the workforce
involved in the incident response to maintain awareness and comfort in responding to
real-world threats. Exercises should test communication channels, decision making,
and incident responders technical capabilities using tools and data available to them.
Establish a program for penetration tests that includes a full scope of blended attacks,
such as wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and
attack vectors that can be used to exploit enterprise systems successfully.
Include tests for the presence of unprotected system information and artifacts that
would be useful to attackers, including network diagrams, configuration files, older
penetration test reports, e-mails or documents containing passwords or other
information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests
and Red Team attacks against elements that are not typically tested in production,
such as attacks against supervisory control and data acquisition and other control
systems.
Use vulnerability scanning and penetration testing tools in concert. The results of
vulnerability scanning assessments should be used as a starting point to guide and
focus penetration testing efforts.
Any user or system accounts used to perform penetration testing should be controlled
and monitored to make sure they are only being used for legitimate purposes, and are
removed or restored to normal function after testing is over.
Use at least three synchronized time sources from which all servers and network
devices retrieve time information on a regular basis so that timestamps in logs are
consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as a event source, date,
user, timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs
generated.
Ensure that appropriate logs are being aggregated to a central log management
system for analysis and review.
Deploy Security Information and Event Management (SIEM) or log analytic tool for log
correlation and analysis.
On a regular basis, review logs to identify anomalies or abnormal events.
Enforce network-based URL filters that limit a system's ability to connect to websites
not approved by the organization. This filtering shall be enforced for each of the
organization's systems, whether they are physically at an organization's facilities or
not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the
most recent website category definitions available. Uncategorized sites shall be
blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a
mobile device, in order to identify potentially malicious activity and assist incident
handlers with identifying potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known
malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement
Domain-based Message Authentication, Reporting and Conformance (DMARC) policy
and verification, starting by implementing the Sender Policy Framework (SPF) and the
DomainKeys Identified Mail(DKIM) standards.
Block all email attachments entering the organization's email gateway if the file types
are unnecessary for the organization's business.
Enable Domain Name System (DNS) query logging to detect hostname lookups for
known malicious domains.
Maintain documented security configuration standards for all authorized network
devices.
All configuration rules that allow traffic to flow through network devices should be
documented in a configuration management system with a specific business reason
for each rule, a specific individual’s name responsible for that business need, and an
expected duration of the need.
Compare all network device configuration against approved security configurations

defined for each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or
tasks requiring elevated access. This machine shall be segmented from the
organization's primary network and not be allowed Internet access. This machine shall
not be used for reading email, composing documents, or surfing the Internet.
Manage the network infrastructure across network connections that are separated
from the business use of that network, relying on separate VLANs or, preferably, on
entirely different physical connectivity for management sessions for network devices.
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any
unauthorized connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit
access only to trusted and necessary IP address ranges at each of the organization's
network boundaries,.
Deny communication over unauthorized TCP or UDP ports or application traffic to
ensure that only authorized protocols are allowed to cross the network boundary in or
out of the network at each of the organization's network boundaries.
Configure monitoring systems to record network packets passing through the
boundary at each of the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual
attack mechanisms and detect compromise of these systems at each of the
organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Segment the network based on the label or classification level of the information
stored on the servers, locate all sensitive information on separated Virtual Local Area
Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are
able to communicate with other systems necessary to fulfill their specific
responsibilities.
Disable all workstation-to-workstation communication to limit an attacker's ability to
move laterally and compromise neighboring systems, through technologies such as
Private VLANs or micro segmentation.
Maintain an inventory of authorized wireless access points connected to the wired

network.
Configure network vulnerability scanning tools to detect and alert on unauthorized

wireless access points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized
wireless access points connected to the network.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Create a separate wireless network for personal or untrusted devices. Enterprise

access from this network should be treated as untrusted and filtered and audited
accordingly.
Use a dedicated account for authenticated vulnerability scans, which should not be
used for any other administrative activities and should be tied to specific machines at
specific IP addresses.
Use automated tools to inventory all administrative accounts, including domain and
local accounts, to ensure that only authorized individuals have elevated privileges.
Before deploying any new asset, change all default passwords to have values
consistent with administrative level accounts.
Ensure that all users with administrative account access use a dedicated or secondary
account for elevated activities. This account should only be used for administrative
activities and not internet browsing, email, or similar activities.
Where multi-factor authentication is not supported (such as local administrator, root, or

service accounts), accounts will use passwords that are unique to that system.
Use multi-factor authentication and encrypted channels for all administrative account
access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks
requiring administrative access. This machine will be segmented from the
organization's primary network and not be allowed Internet access. This machine will
not be used for reading e-mail, composing documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only
administrative or development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or
removed from any group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an
administrative account.
Require all remote login access to the organization's network to encrypt data in transit
and use multi-factor authentication.
Maintain an inventory of each of the organization's authentication systems, including
those located on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication
as possible, including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether
managed on-site or by a third-party provider.
Encrypt or hash with a salt all authentication credentials when stored.
Ensure that all account usernames and authentication credentials are transmitted
across networks using encrypted channels.
Maintain an inventory of all accounts organized by authentication system.
Establish and follow an automated process for revoking system access by disabling
accounts immediately upon termination or change of responsibilities of an employee or
contractor . Disabling these accounts, instead of deleting accounts, allows
preservation of audit trails.
Disable any account that cannot be associated with a business process or business
owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts to access deactivated accounts through audit logging.

Risk Treatment Risk Treatment Risk Treatment
Risk Treatment Risk Treatment
Safeguard Safeguard Impact Safeguard Impact
Safeguard Maturity Safeguard Impact
Expectancy to Operational to Financial
Score to Mission
Score Objectives Objectives
Reasonable and Risk Treatment
Safeguard Impact Safeguard Risk
Acceptable Safeguard Cost
to Obligations Score
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Reasonable Annual Cost
Impact to
Implementation Implementation Reasonabl
Financial Year
Quarter Year e?
Objectives
$ - 2021 Yes
$ - 2022 Yes
$ - 2023 Yes
$ - 2024 Yes
$ - 2025 Yes
$ - 2026 Yes
$ - 2027 Yes
$ - 2028 Yes
$ - 2029 Yes
$ - 2030 Yes
Enterprise Name
Enterprise Risk Scope
Assessment Criteria Last Completed (Date)
Risk Register Risk Analysis
Asset Class Asset Name CIS Safeguard #2
Devices 1.1
Devices 1.2
Devices 1.3
Devices 1.4
Applications 2.1
Applications 2.2
Applications 2.3
Applications 2.4
Applications 2.5
Applications 2.6
Data 3.1
Data 3.2
Data 3.3
Data 3.4
Data 3.5
Devices 3.6
Data 3.7
Data 3.8
Data 3.9
Data 3.10
Data 3.11
Network 3.12
Applications 4.1
Network 4.2
Users 4.3
Devices 4.4
Devices 4.5
Network 4.6
Users 4.7
Devices 4.8
Devices 4.9
Devices 4.10
Devices 4.11
Users 5.1
Users 5.2
Users 5.3
Users 5.4
Users 5.5
Users 5.6
Users 6.1
Users 6.2
Users 6.3
Users 6.4
Users 6.5
Users 6.6
Users 6.7
Applications 7.1
Applications 7.2
Applications 7.3
Applications 7.4
Applications 7.5
Applications 7.6
Applications 7.7
Network 8.1
Network 8.11
Network 8.2
Network 8.3
Network 8.4
Network 8.5
Network 8.6
Network 8.7
Devices 8.8
Network 8.9
Network 8.10
Applications 9.1
Network 9.2
Network 9.3
Applications 9.4
Network 9.5
Network 9.6
Devices 10.1
Devices 10.2
Devices 10.3
Devices 10.4
Devices 10.5
Devices 10.6
Devices 10.7
Data 11.1
Data 11.2
Data 11.3
Data 11.4
Data 11.5
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Devices 12.7
Network 13.1
Devices 13.2
Network 13.3
Network 13.4
Devices 13.5
Network 13.6
Enterprise 14.1
Enterprise 14.2
Enterprise 14.3
Enterprise 14.4
Enterprise 14.5
Enterprise 14.6
Enterprise 14.7
Enterprise 14.8
Enterprise 14.9
Enterprise 15.1
Enterprise 15.2
Enterprise 15.3
Enterprise 15.4
Applications 16.1
Applications 16.2
Applications 16.3
Applications 16.4
Applications 16.5
Applications 16.6
Applications 16.7
Applications 16.8
Applications 16.9
Applications 16.10
Applications 16.11
Enterprise 17.1
Enterprise 17.2
Enterprise 17.3
Enterprise 17.4
Enterprise 17.5
Enterprise 17.6
Enterprise 17.7
Enterprise 17.8
Enterprise 18.1
Network 18.2
Network 18.3
NIST CSF Security
CIS Safeguard Title IG1 IG2 Our Implementation
Function
Establish and Maintain Detailed

x x Identify
Enterprise Asset Inventory
Utilize an Active Discovery Tool x Detect
Use Dynamic Host Configuration

Protocol (DHCP) Logging to Update x Identify
Establish and Maintain a Software

x x Identify
Inventory
Ensure Authorized Software is

x x Identify
Currently Supported
Address Unauthorized Software x x Respond
Utilize Automated Software Inventory

x Detect
Tools
Allowlist Authorized Software x Protect
Allowlist Authorized Libraries x Protect
Establish and Maintain a Data

x x Identify
Management Process

x x Identify
Inventory
Configure Data Access Control Lists x x Protect
Enforce Data Retention x x Protect
Securely Dispose of Data x x Protect
Encrypt Data on End-User Devices x x Protect

x Identify
Classification Scheme
Document Data Flows x Identify
Encrypt Data on Removable Media x Protect
Encrypt Sensitive Data in Transit x Protect
Encrypt Sensitive Data at Rest x Protect
Segment Data Processing and

x Protect
Storage Based on Sensitivity
Establish and Maintain a Secure
x x Protect
Configuration Process

Configuration Process for Network x x Protect
Infrastructure
Configure Automatic Session

x x Protect
Locking on Enterprise Assets
Implement and Manage a Firewall on

x x Protect
Servers

x x Protect
End-User Devices
Securely Manage Enterprise Assets

x x Protect
and Software
Manage Default Accounts on

x x Protect
Enterprise Assets and Software
Uninstall or Disable Unnecessary

Services on Enterprise Assets and x Protect
Software
Configure Trusted DNS Servers on

x Protect
Enterprise Assets
Enforce Automatic Device Lockout

x Respond
on Portable End-User Devices
Enforce Remote Wipe Capability on

x Protect
Portable End-User Devices
Establish and Maintain an Inventory

x x Identify
of Accounts
Use Unique Passwords x x Protect
Restrict Administrator Privileges to

x x Protect
Dedicated Administrator Accounts

x Identify
of Service Accounts
Centralize Account Management x Protect

Establish an Access Granting
x x Protect
Process
Establish an Access Revoking

x x Protect
Process
Require MFA for Externally-Exposed

x x Protect
Applications
Require MFA for Remote Network

x x Protect
Access
Require MFA for Administrative
x x Protect
Access

of Authentication and Authorization x Identify
Systems
Centralize Access Control x Protect
Establish and Maintain a

x x Protect
Vulnerability Management Process

x x Respond
Remediation Process
Perform Automated Operating

x x Protect
System Patch Management
Perform Automated Application

x x Protect
Patch Management
Perform Automated Vulnerability

x Identify
Scans of Internal Enterprise Assets

Scans of Externally-Exposed x Identify
Enterprise Assets
Remediate Detected Vulnerabilities x Respond
Establish and Maintain an Audit Log

x x Protect
Management Process
Conduct Audit Log Reviews x Detect
Collect Audit Logs x x Protect
Ensure Adequate Audit Log Storage x x Protect
Standardize Time Synchronization x Detect
Collect Detailed Audit Logs x Detect
Collect DNS Query Audit Logs x Detect
Collect URL Request Audit Logs x Detect
Collect Command-Line Audit Logs x Detect
Centralize Audit Logs x Protect

Retain Audit Logs x Detect
x x Protect
Use DNS Filtering Services x x Protect

x Protect
Based URL Filters
Restrict Unnecessary or
Unauthorized Browser and Email x Protect
Client Extensions
Implement DMARC x Protect

Deploy and Maintain Anti-Malware
x x Protect
Software
Configure Automatic Anti-Malware
x x Protect
Signature Updates
Disable Autorun and Autoplay for
x x Protect
Removable Media

x Detect
Scanning of Removable Media
Enable Anti-Exploitation Features x Protect
Centrally Manage Anti-Malware

x Protect
Software
Use Behavior-Based Anti-Malware
x Detect
Software

x x Recover
Recovery Process
Perform Automated Backups x x Recover
Protect Recovery Data x x Protect
Establish and Maintain an Isolated

x x Recover
Instance of Recovery Data
Test Data Recovery x Recover
Ensure Network Infrastructure is Up-

x x Protect
to-Date

x Protect
Network Architecture
Securely Manage Network

x Protect
Infrastructure
Establish and Maintain Architecture

x Identify
Diagram(s)
Centralize Network Authentication,

x Protect
Authorization, and Auditing (AAA)
Use of Secure Network Management

x Protect
and Communication Protocols
Ensure Remote Devices Utilize a

VPN and are Connecting to an x Protect
Enterprise’s AAA Infrastructure
Centralize Security Event Alerting x Detect
Deploy a Host-Based Intrusion

x Detect
Detection Solution
Deploy a Network Intrusion Detection

x Detect
Solution
Perform Traffic Filtering Between

x Protect
Network Segments
Manage Access Control for Remote

x Protect
Assets
Collect Network Traffic Flow Logs x Detect
Establish and Maintain a Security

x x Protect
Awareness Program
Train Workforce Members to

Recognize Social Engineering x x Protect
Attacks

x x Protect
Authentication Best Practices
Train Workforce on Data Handling

x x Protect
Best Practices

Causes of Unintentional Data x x Protect
Exposure
Recognizing and Reporting Security x x Protect
Incidents
Train Workforce on How to Identify

and Report if Their Enterprise Assets x x Protect
are Missing Security Updates
Train Workforce on the Dangers of

Connecting to and Transmitting
x x Protect
Enterprise Data Over Insecure
Networks
Conduct Role-Specific Security
x Protect
Awareness and Skills Training

x x Identify
of Service Providers
Establish and Maintain a Service

x Identify
Provider Management Policy
Classify Service Providers x Identify
Ensure Service Provider Contracts

x Protect
Include Security Requirements

x Protect
Application Development Process
Establish and Maintain a Process to

Accept and Address Software x Protect
Vulnerabilities
Perform Root Cause Analysis on

x Protect
Security Vulnerabilities
Establish and Manage an Inventory
x Protect
of Third-Party Software Components
Use Up-to-Date and Trusted Third-

x Protect
Party Software Components
Establish and Maintain a Severity

Rating System and Process for x Protect
Application Vulnerabilities

Configuration Templates for x Protect
Application Infrastructure

x Protect
Production Systems
Train Developers in Application

Security Concepts and Secure x Protect
Coding
Apply Secure Design Principles in

x Protect
Application Architectures
Leverage Vetted Modules or

Services for Application Security x Protect
Components
Designate Personnel to Manage
x x Respond
Incident Handling
Establish and Maintain Contact

Information for Reporting Security x x Respond
Incidents
Establish and Maintain an Enterprise

x x Respond
Process for Reporting Incidents
Establish and Maintain an Incident

x Respond
Response Process
Assign Key Roles and

x Respond
Responsibilities
Define Mechanisms for

Communicating During Incident x Respond
Response
Conduct Routine Incident Response

x Recover
Exercises
Conduct Post-Incident Reviews x Recover
Establish and Maintain a Penetration

x Identify
Testing Program
Perform Periodic External

x Identify
Penetration Tests
Remediate Penetration Test Findings x Protect

Evidence of Safeguard Expectancy Impact to
Vulnerabilities VCDB Index
Implementation Maturity Score Score Mission
2
2
1
2
3
3
2
2
1
1
1
1
1
1
3
3
2
2
2
3
1
Risk Register Risk Treatment
Impact to Impact to
Impact to
Operational Financial Risk Score Risk Level Risk Treatment Option
Obligations
ment
Risk Treatment
Risk Treatment Safeguard
Safeguard Title

1.1
1.2 Address Unauthorized Assets
1.3 Utilize an Active Discovery Tool
Use Dynamic Host

Configuration Protocol (DHCP)
1.4
Logging to Update Enterprise
Asset Inventory

2.1
Software Inventory

2.2
Currently Supported
2.3 Address Unauthorized Software
Utilize Automated Software

2.4
Inventory Tools
2.5 Allowlist Authorized Software
2.6 Allowlist Authorized Libraries

3.1
Management Process

3.2
Inventory
Configure Data Access Control

3.3
Lists
3.4 Enforce Data Retention
3.5 Securely Dispose of Data
Encrypt Data on End-User

3.6
Devices

3.7
3.8 Document Data Flows
Encrypt Data on Removable

3.9
Media
Encrypt Sensitive Data in
3.1
Transit
3.11 Encrypt Sensitive Data at Rest

3.12
4.1
Secure Configuration Process

4.2 Secure Configuration Process
for Network Infrastructure

4.3
Implement and Manage a

4.4
Firewall on Servers
Implement and Manage a

4.5
Firewall on End-User Devices
Securely Manage Enterprise

4.6
Assets and Software

4.7
Uninstall or Disable
4.8 Unnecessary Services on
Configure Trusted DNS Servers

4.9
on Enterprise Assets
Enforce Automatic Device

4.1 Lockout on Portable End-User
Devices
Enforce Remote Wipe

4.11 Capability on Portable End-
User Devices
Establish and Maintain an

5.1
Inventory of Accounts
5.2 Use Unique Passwords
5.3 Disable Dormant Accounts
Restrict Administrator Privileges

5.4 to Dedicated Administrator
Accounts

5.5
Inventory of Service Accounts
Centralize Account
5.6
Management
6.1
Process

6.2
Process
Require MFA for Externally-

6.3
Exposed Applications
Require MFA for Remote

6.4
Network Access
6.5
Access

6.6 Inventory of Authentication and
Authorization Systems
6.7 Centralize Access Control

7.1 Vulnerability Management
Process
7.2
Remediation Process

7.3

7.4
Patch Management
Perform Automated
7.5 Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
7.6
Externally-Exposed Enterprise
Assets
Remediate Detected
7.7
Vulnerabilities
Establish and Maintain an Audit

8.1
Log Management Process
8.11 Conduct Audit Log Reviews
8.2 Collect Audit Logs

Ensure Adequate Audit Log
8.3
Storage
Standardize Time
8.4
Synchronization
8.5 Collect Detailed Audit Logs
8.6 Collect DNS Query Audit Logs

Collect URL Request Audit
8.7
Logs
Collect Command-Line Audit
8.8
Logs
8.9 Centralize Audit Logs
8.1 Retain Audit Logs
Ensure Use of Only Fully
9.1 Supported Browsers and Email
Clients
9.2 Use DNS Filtering Services

9.3
Based URL Filters
9.4 Unauthorized Browser and
Email Client Extensions
9.5 Implement DMARC
9.6 Block Unnecessary File Types

Deploy and Maintain Anti-
10.1
Malware Software
Configure Automatic Anti-
10.2
Malware Signature Updates
Disable Autorun and Autoplay
10.3
for Removable Media
Configure Automatic Anti-

10.4 Malware Scanning of
Removable Media
Enable Anti-Exploitation
10.5
Features

10.6
Software
Use Behavior-Based Anti-
10.7
Malware Software

11.1
Recovery Process
11.2 Perform Automated Backups
11.3 Protect Recovery Data

11.4 Isolated Instance of Recovery
Data
11.5 Test Data Recovery
Ensure Network Infrastructure

12.1
is Up-to-Date

12.2
Secure Network Architecture

12.3
Infrastructure
Establish and Maintain

12.4
Architecture Diagram(s)
Centralize Network
12.5 Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
12.6 Management and
Communication Protocols
Ensure Remote Devices Utilize
a VPN and are Connecting to
12.7
an Enterprise’s AAA
Infrastructure
Centralize Security Event
13.1
Alerting

13.2
Detection Solution
Deploy a Network Intrusion

13.3
Detection Solution
Perform Traffic Filtering

13.4
Between Network Segments
Manage Access Control for

13.5
Remote Assets
Collect Network Traffic Flow

13.6
Logs

14.1
Security Awareness Program

14.2 Recognize Social Engineering
Attacks

14.3
Train Workforce on Data

14.4
Handling Best Practices

14.5 Causes of Unintentional Data
Exposure
14.6 Recognizing and Reporting
Security Incidents
Train Workforce on How to
Identify and Report if Their
14.7
Enterprise Assets are Missing
Security Updates
Train Workforce on the
Dangers of Connecting to and
14.8
Transmitting Enterprise Data
Over Insecure Networks
14.9

15.1
Inventory of Service Providers

15.2 Service Provider Management
Policy
15.3 Classify Service Providers
Ensure Service Provider

15.4 Contracts Include Security
Requirements

16.1 Secure Application
Development Process

16.2 Process to Accept and Address
Software Vulnerabilities
Perform Root Cause Analysis

16.3
on Security Vulnerabilities
Establish and Manage an
16.4 Inventory of Third-Party
Software Components
Use Up-to-Date and Trusted

16.5 Third-Party Software
Components

Severity Rating System and
16.6
Process for Application
Vulnerabilities

16.7 Configuration Templates for

16.8
Production Systems

16.9 Security Concepts and Secure
Coding
Apply Secure Design Principles

16.1
in Application Architectures

16.11 Services for Application
Security Components
Designate Personnel to
17.1
Manage Incident Handling

17.2 Information for Reporting
Security Incidents

17.3 Enterprise Process for
Reporting Incidents

17.4
Incident Response Process

17.5
Responsibilities

17.6 Communicating During Incident
Response
Conduct Routine Incident

17.7
Response Exercises
17.8 Conduct Post-Incident Reviews

18.1
Penetration Testing Program

18.2
Penetration Tests
Remediate Penetration Test

18.3
Findings
Risk Treatment Our Planned
Safeguard Description Implementation
Establish and maintain an accurate, detailed, and up-to-date inventory of all

enterprise assets with the potential to store or process data, to include: end-user
devices (including portable and mobile), network devices, non-computing/IoT
devices, and servers. Ensure the inventory records the network address (if static),
hardware address, machine name, enterprise asset owner, department for each
asset, and whether the asset has been approved to connect to the network. For
mobile end-user devices, MDM type tools can support this process, where
appropriate. This inventory includes assets connected to the infrastructure
physically, virtually, remotely, and those within cloud environments. Additionally, it
includes assets that are regularly connected to the enterprise’s network
infrastructure, even if they are not under control of the enterprise. Review and
update the inventory of all enterprise assets bi-annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s

network. Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address
management tools to update the enterprise’s asset inventory. Review and use logs
to update the enterprise’s asset inventory weekly, or more frequently.
Establish and maintain a detailed inventory of all licensed software installed on

enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include
the Uniform Resource Locator (URL), app store(s), version(s), deployment
mechanism, and decommission date. Review and update the software inventory bi-
annually, or more frequently.
Ensure that only currently supported software is designated as authorized in the

software inventory for enterprise assets. If software is unsupported, yet necessary
for the fulfillment of the enterprise’s mission, document an exception detailing
mitigating controls and residual risk acceptance. For any unsupported software
without an exception documentation, designate as unauthorized. Review the
software list to verify software support at least monthly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets
or receives a documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to

automate the discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only
authorized software can execute or be accessed. Reassess bi-annually, or more
frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.
Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise.
Review and update documentation annually, or when significant enterprise changes
occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data
management process. Inventory sensitive data, at a minimum. Review and update
inventory annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data
access control lists, also known as access permissions, to local and remote file
systems, databases, and applications.
Retain data according to the enterprise’s data management process. Data retention
must include both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process.
Ensure the disposal process and method are commensurate with the data
sensitivity.
Encrypt data on end-user devices containing sensitive data. Example
implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-
crypt.
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact
this Safeguard.
Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and
update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport
Layer Security (TLS) and Open Secure Shell (OpenSSH).
Encrypt sensitive data at rest on servers, applications, and databases containing
sensitive data. Storage-layer encryption, also known as server-side encryption,
meets the minimum requirement of this Safeguard. Additional encryption methods
may include application-layer encryption, also known as client-side encryption,
where access to the data storage device(s) does not permit access to the plain-text
data.
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Establish and maintain a secure configuration process for enterprise assets (end-
user devices, including portable and mobile, non-computing/IoT devices, and
servers) and software (operating systems and applications). Review and update
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur
that could impact this Safeguard.
Configure automatic session locking on enterprise assets after a defined period of

inactivity. For general purpose operating systems, the period must not exceed 15
minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example

implementations include a virtual firewall, operating system firewall, or a third-party
firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user
devices, with a default-deny rule that drops all traffic except those services and
ports that are explicitly allowed.
Securely manage enterprise assets and software. Example implementations include
managing configuration through version-controlled-infrastructure-as-code and
accessing administrative interfaces over secure network protocols, such as Secure
Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network) and HTTP, unless
operationally essential.
Manage default accounts on enterprise assets and software, such as root,

administrator, and other pre-configured vendor accounts. Example implementations
can include: disabling default accounts or making them unusable.
Uninstall or disable unnecessary services on enterprise assets and software, such

as an unused file sharing service, web application module, or service function.
Configure trusted DNS servers on enterprise assets. Example implementations

include: configuring assets to use enterprise-controlled DNS servers and/or
reputable externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed
authentication attempts on portable end-user devices, where supported. For
laptops, do not allow more than 20 failed authentication attempts; for tablets and
smartphones, no more than 10 failed authentication attempts. Example
implementations include Microsoft® InTune Device Lock and Apple® Configuration
Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices
when deemed appropriate such as lost or stolen devices, or when an individual no
longer supports the enterprise.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring
schedule at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation
includes, at a minimum, an 8-character password for accounts using MFA and a 14-
character password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise

assets. Conduct general computing activities, such as internet browsing, email, and
productivity suite use, from the user’s primary, non-privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a

minimum, must contain department owner, review date, and purpose. Perform
service account reviews to validate that all active accounts are authorized, on a
recurring schedule at a minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.

Establish and follow a process, preferably automated, for granting access to
enterprise assets upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to
enterprise assets, through disabling accounts immediately upon termination, rights
revocation, or role change of a user. Disabling accounts, instead of deleting
accounts, may be necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA,
where supported. Enforcing MFA through a directory service or SSO provider is a
satisfactory implementation of this Safeguard.
Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all
enterprise assets, whether managed on-site or through a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and
authorization systems, including those hosted on-site or at a remote service
provider. Review and update the inventory, at a minimum, annually, or more
frequently.
Centralize access control for all enterprise assets through a directory service or
SSO provider, where supported.
Establish and maintain a documented vulnerability management process for
enterprise assets. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a
remediation process, with monthly, or more frequent, reviews.
Perform operating system updates on enterprise assets through automated patch

management on a monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch

management on a monthly, or more frequent, basis.
Perform automated vulnerability scans of internal enterprise assets on a quarterly,

or more frequent, basis. Conduct both authenticated and unauthenticated scans,
using a SCAP-compliant vulnerability scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise assets

using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or
more frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a
monthly, or more frequent, basis, based on the remediation process.
Establish and maintain an audit log management process that defines the
enterprise’s logging requirements. At a minimum, address the collection, review,
and retention of audit logs for enterprise assets. Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the
enterprise’s audit log management process.
Standardize time synchronization. Configure at least two synchronized time sources
across enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data.
Include event source, date, username, timestamp, source addresses, destination
addresses, and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and
supported.
Collect URL request audit logs on enterprise assets, where appropriate and
supported.
Collect command-line audit logs. Example implementations include collecting audit
logs from PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across
enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided
through the vendor.
Use DNS filtering services on all enterprise assets to block access to known
malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example
implementations include category-based filtering, reputation-based filtering, or
through the use of block lists. Enforce filters for all enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary

browser or email client plugins, extensions, and add-on applications.
To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise
assets.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible,

such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit
Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.
Establish and maintain a data recovery process. In the process, address the scope
of data recovery activities, recovery prioritization, and the security of backup data.
Review and update documentation annually, or when significant enterprise changes
Perform automated backups of in-scope enterprise assets. Run backups weekly, or
more frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference
encryption or data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example
implementations include, version controlling backup destinations through offline,
cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope
enterprise assets.
Ensure network infrastructure is kept up-to-date. Example implementations include
running the latest stable release of software and/or using currently supported
network-as-a-service (NaaS) offerings. Review software versions monthly, or more
frequently, to verify software support.
Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.
Securely manage network infrastructure. Example implementations include version-

controlled-infrastructure-as-code, and the use of secure network protocols, such as
SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system
documentation. Review and update documentation annually, or when significant
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).
Require users to authenticate to enterprise-managed VPN and authentication

services prior to accessing enterprise resources on end-user devices.
Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where

appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where
appropriate. Example implementations include the use of a Network Intrusion
Detection System (NIDS) or equivalent cloud service provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.
Manage access control for assets remotely connecting to enterprise resources.

Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-
to-date.
Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.
Establish and maintain a security awareness program. The purpose of a security
awareness program is to educate the enterprise’s workforce on how to interact with
enterprise assets and data in a secure manner. Conduct training at hire and, at a
minimum, annually. Review and update content annually, or when significant
Train workforce members to recognize social engineering attacks, such as phishing,

pre-texting, and tailgating.
Train workforce members on authentication best practices. Example topics include

MFA, password composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive,
and destroy sensitive data. This also includes training workforce members on clear
screen and desk best practices, such as locking their screen when they step away
from their enterprise asset, erasing physical and virtual whiteboards at the end of
meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure.

Example topics include mis-delivery of sensitive data, losing a portable end-user
device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to

report such an incident.
Train workforce to understand how to verify and report out-of-date software patches
or any failures in automated processes and tools. Part of this training should include
notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data
over, insecure networks for enterprise activities. If the enterprise has remote
workers, training must include guidance to ensure that all users securely configure
their home network infrastructure.
Conduct role-specific security awareness and skills training. Example
implementations include secure system administration courses for IT professionals,
OWASP® Top 10 vulnerability awareness and prevention training for web
application developers, and advanced social engineering awareness training for
high-profile roles.
Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise
contact for each service provider. Review and update the inventory annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and
decommissioning of service providers. Review and update the policy annually, or
when significant enterprise changes occur that could impact this Safeguard.
Classify service providers. Classification consideration may include one or more
characteristics, such as data sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. Update and review
classifications annually, or when significant enterprise changes occur that could
Ensure service provider contracts include security requirements. Example

requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and
data disposal commitments. These security requirements must be consistent with
the enterprise’s service provider management policy. Review service provider
contracts annually to ensure contracts are not missing security requirements.
Establish and maintain a secure application development process. In the process,

address such items as: secure application design standards, secure coding
practices, developer training, vulnerability management, security of third-party code,
and application security testing procedures. Review and update documentation
Safeguard.
Establish and maintain a process to accept and address reports of software

vulnerabilities, including providing a means for external entities to report. The
process is to include such items as: a vulnerability handling policy that identifies
reporting process, responsible party for handling vulnerability reports, and a process
for intake, assignment, remediation, and remediation testing. As part of the process,
use a vulnerability tracking system that includes severity ratings, and metrics for
measuring timing for identification, analysis, and remediation of
vulnerabilities. Review and update documentation annually, or when significant
Third-party application developers need to consider this an externally-facing policy

that helps to set expectations for outside stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing

vulnerabilities, root cause analysis is the task of evaluating underlying issues that
create vulnerabilities in code, and allows development teams to move beyond just
fixing individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in
development, often referred to as a “bill of materials,” as well as components slated
for future use. This inventory is to include any risks that each third-party component
could pose. Evaluate the list at least monthly to identify any changes or updates to
these components, and validate that the component is still supported.
Use up-to-date and trusted third-party software components. When possible,

choose established and proven frameworks and libraries that provide adequate
security. Acquire these components from trusted sources or evaluate the software
for vulnerabilities before use.
Establish and maintain a severity rating system and process for application
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe
bugs are fixed first. Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for

application infrastructure components. This includes underlying servers, databases,
and web servers, and applies to cloud containers, Platform as a Service (PaaS)
components, and SaaS components. Do not allow in-house developed software to
weaken configuration hardening.
Ensure that all software development personnel receive training in writing secure
code for their specific development environment and responsibilities. Training can
include general security principles and application security standard practices.
Conduct training at least annually and design in a way to promote security within the
development team, and build a culture of security among the developers.
Apply secure design principles in application architectures. Secure design principles

include the concept of least privilege and enforcing mediation to validate every
operation that the user makes, promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and
documented for all input, including for size, data type, and acceptable ranges or
formats. Secure design also means minimizing the application infrastructure attack
surface, such as turning off unprotected ports and services, removing unnecessary
programs and files, and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as

identity management, encryption, and auditing and logging. Using platform features
in critical security functions will reduce developers’ workload and minimize the
likelihood of design or implementation errors. Modern operating systems provide
effective mechanisms for identification, authentication, and authorization and make
those mechanisms available to applications. Use only standardized, currently
accepted, and extensively reviewed encryption algorithms. Operating systems also
provide mechanisms to create and maintain secure audit logs.
Designate one key person, and at least one backup, who will manage the
enterprise’s incident handling process. Management personnel are responsible for
the coordination and documentation of incident response and recovery efforts and
can consist of employees internal to the enterprise, third-party vendors, or a hybrid
approach. If using a third-party vendor, designate at least one person internal to the
enterprise to oversee any third-party work. Review annually, or when significant
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts, as applicable. Review annually, or when significant
Determine which primary and secondary mechanisms will be used to communicate
and report during a security incident. Mechanisms can include phone calls, emails,
or letters. Keep in mind that certain mechanisms, such as emails, can be affected
during a security incident. Review annually, or when significant enterprise changes
Plan and conduct routine incident response exercises and scenarios for key
personnel involved in the incident response process to prepare for responding to
real-world incidents. Exercises need to test communication channels, decision
making, and workflows. Conduct testing on an annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident

recurrence through identifying lessons learned and follow-up action.
Establish and maintain a penetration testing program appropriate to the size,
complexity, and maturity of the enterprise. Penetration testing program
characteristics include scope, such as network, web application, Application
Programming Interface (API), hosted services, and physical premise controls;
frequency; limitations, such as acceptable hours, and excluded attack types; point of
contact information; remediation, such as how findings will be routed internally; and
retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less

than annually. External penetration testing must include enterprise and
environmental reconnaissance to detect exploitable information. Penetration testing
requires specialized skills and experience and must be conducted through a
qualified party. The testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation
scope and prioritization.
Safeguard Impact Safeguard Impact
Safeguard Maturity Safeguard Expectancy Safeguard Impact
to Operational to Financial
Score Score to Mission
Reasonable and Risk Treatment
Safeguard Impact Safeguard Risk
Acceptable Safeguard Cost
to Obligations Score
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Impact to
Implementation Reasonabl
Implementation Year Financial Year
Quarter e?
Objectives
$ - 2021 Yes
$ - 2022 Yes
$ - 2023 Yes
$ - 2024 Yes
$ - 2025 Yes
$ - 2026 Yes
$ - 2027 Yes
$ - 2028 Yes
$ - 2029 Yes
$ - 2030 Yes
Color
Color Key
Risk Register Title

Asset Class
Asset Name
CIS Safeguard #
CIS Safeguard Title

IG1
IG2
NIST CSF Security Function
Our Implementation
Evidence of Implementation
Vulnerabilities
Risk Analysis
Safeguard Maturity Score
VCDB Index
Expectancy Score
Impact to Mission
Impact to Operational Objectives
Impact to Financial Objectives

Impact to Obligations
Risk Score
Risk Level
Risk Treatment Option
Risk Treatment
Safeguard Title
Risk Treatment
Safeguard Description
Our Planned Implementation
Maturity Score
Risk Treatment
Safeguard Expectancy Score
Impact to Mission
Risk Treatment Risk Treatment Safeguard
Impact to Operational Objectives


Impact to Obligations
Risk Treatment Safeguard Risk
Score
Reasonable and Acceptable
Risk Treatment Safeguard Cost
Implementation Quarter
Implementation Year

Reasonable Annual
Year
Cost
Reasonable?
Meaning
Automated or fixed values on the Risk Analysis side of the Risk Register. While the worksheet
is in protected mode, these values cannot be changed.
Automated or fixed values on the Risk Treatment side of the Risk Register. While the
worksheet is in protected mode, these values cannot be changed.
For user input. Risk assessors will add values into these columns.
For optional user input. Risk assessors may add values into these columns if it's useful to
them.
Automated or fixed values on the Reasonable Annual Cost side of the Risk Register. While the
worksheet is in protected mode, these values cannot be changed.
Meaning
The asset class, as published in the CIS Controls.
An optional field used to input the name of an individual asset to distinguish its risks from other
Asset Class risks.
The unique CIS Safeguard identifier, as published in the CIS Controls.
The title of the CIS Safeguard, as published in the CIS Controls.

The Implementation Group, as published in the CIS Controls.
The Implementation Group, as published in the CIS Controls.
Mapping between the NIST CSF Security Functions and CIS Safeguards, as published in the
CIS Controls.
A brief description of how the Safeguard is already implemented and operated in the
enterprise.
Proof to show how the Safeguard is implemented and operated in the enterprise.
An optional field used to record a vulnerability with a specific asset, such as a vulnerability in
an application, as an example.
A score of '1' through '5' designating the reliability of a Safeguard's effectiveness against
threats.
An automatically calculated value to represent how common the related threat is as a cause for
reported cybersecurity incidents.
An automatically calculated value to represent how commonly the related threat would be the
cause of a cybersecurity incident, given your current Safeguard and the reported commonality
of the attack.
The magnitude of harm that a successful threat would cause to your Mission.
The magnitude of harm that a successful threat would cause to your Operational Objectives.
The magnitude of harm that a successful threat would cause to your Financial Objectives.
The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Expectancy and the highest of the three Impacts.
An evaluation of the risk as negligible, acceptable, unacceptable, high, or catastrophic.
A statement about whether the enterprise will accept or reduce the risk.
The unique CIS Safeguard identifier, as published in the CIS Controls.
The title of the CIS Safeguard, as published in the CIS Controls.
The description of the CIS Safeguard, as published in the CIS Controls.
A brief description of how the Safeguard will be implemented and operated in the enterprise.
A score of '1' through '5' designating the planned reliability of a Safeguard's effectiveness
against threats.
An automatically calculated value to represent how commonly the related threat would be the
cause of a cybersecurity incident, given the planned Safeguard.
The magnitude of harm that a successful threat would cause to your Mission.
The magnitude of harm that a successful threat would cause to your Operational Objectives.
The magnitude of harm that a successful threat would cause to your Financial Objectives.
The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Expectancy and the highest of the three impacts, given the planned
Safeguard.
A determination of whether the planned Safeguard is reasonable and acceptable.
An estimate of how much the Safeguard is expected to cost.
When the Safeguard is planned for completion of implementation (which quarter).
When the Safeguard is planned for completion of implementation (which year).
The total Risk Treatment Safeguard Cost for the year.

The year the total cost was incurred.
Whether or not the total cost falls above or below the acceptable limit, based on the
Acceptable Criteria for the enterprise's Financial Objectives.
Impact Criteria
Impact Scores Mission Operational Objectives
Definition Required Required

1. Negligible Use Default or Custom Responses Use Default or Custom Responses
2. Acceptable Use Default or Custom Responses Use Default or Custom Responses
3. Unacceptable Use Default or Custom Responses Use Default or Custom Responses
4. High Use Default or Custom Responses Use Default or Custom Responses

5. Catastrophic Use Default or Custom Responses Use Default or Custom Responses
Inherent Risk Criteria
Asset Class Mission Impact Operational Objectives Impact

Enterprise Calculated Field Calculated Field
Devices Required Required
Applications Required Required
Data Required Required
Network Required Required

Users Required Required
Risk Levels
Red Red indicates that the risk is “urgent.”
Yellow indicates that the risk is

Yellow
“unacceptably high, but not urgent.”
Green indicates that the risk evaluates

Green
as “acceptable.”
Criteria
Financial Objectives Obligations
Optional Required
Optional Use Default or Custom Responses

Use Default or Custom Responses
sk Criteria
Financial Objectives Impact Obligations Impact

Calculated Field Calculated Field
Required Required
Required Required
Required Required
Required Required
Required Required
Asset Classes
Asset Classes
Applications
Data
Devices
Enterprise
Network
Users
Maturity Scores
Maturity Scores
1
2
3
4
5
Expectancy Criteria
Expectancy Scores
1
2
3
4
5
Risk Acceptance Criteria
Acceptable Risk Score

Complete the Risk Acceptance Criteria
table in Enterprise Parameters
VCDB Index
Incident Count
Asset Class
Enterprise
Applications
Data
Devices
Network
Users
Unknown
VCDB Index Weight Table
VCDB Index Lookup

51
52
53
54
55
41
42
43
44
45
31
32
33
34
35
21
22
23
24
25
11
12
13
14
15
Used to associate Safeguards with Asset Classes
Used for "Safeguard Maturity Score" and "Risk Treatment Safeguard

Maturity Score"
Definition
Safeguard is not implemented or is inconsistently implemented.
Safeguard is implemented fully on some assets or partially on all
assets.
Safeguard is implemented on all assets.
Safeguard is tested and inconsistencies are corrected.
Safeguard has mechanisms that ensure consistent implementation
over time.
Used for "Expectancy Score" and "Risk Treatment Safeguard

Expectancy Score"
Expectancy
Remote
Unlikely
As likely as not
Likely
Certain
Used to evaluate risk acceptance
Risk Acceptance Criteria
Complete the Risk Acceptance Criteria table in Enterprise parameters.
Used to populate "VCDB Index"

8893
Sum of Threat Count / Industry
4458
1253
4458
798
62
4458
863
Used to calculate "Expectancy Score" and "Risk Treatment Safeguard

Expectancy Score"
Maturity
5
5
5
5
5
4
4
4
4
4
3
3
3
3
3
2
2
2
2
2
1
1
1
1
1
Criteria
Safeguard would reliably prevent the threat.
Safeguard would reliably prevent most occurrences of the
threat.
Safeguard would prevent as many threat occurrences as it
would miss.
Safeguard would prevent few threat occurrences.
Safeguard would not prevent threat occurrences.
As of 7/29/2021
Percentage Index
50% 3
14% 2
50% 3
9% 1
1% 1
50% 3
10% 1
VCDB Index Expectancy

1 1
2 1
3 1
4 2
5 2
1 1
2 2
3 2
4 3
5 3
1 1
2 2
3 3
4 4
5 5
1 3
2 3
3 4
4 4
5 5
1 4
2 4
3 5
4 5
5 5
CIS CSAT Pro
CIS CSAT Pro for CIS Controls v7.1
CSAT Pro Export CSAT Pro Score CIS RAM Maturity

v7.1 Safeguard #
Score (Stripped) Score Final
1.1
1.3
1.4
1.5
1.6
1.7
2.1
2.2
2.3
2.4
2.6
3.1
3.2
3.3
3.4
3.5
3.6
3.7
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
5.1
5.2
5.3
5.4
5.5
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
9.1
9.2
9.3
9.4
10.1
10.2
10.3
10.4
10.5
11.1
11.2
11.3
11.4
11.5
11.6
11.7
12.1
12.2
12.3
12.4
12.5
12.6
12.8
12.11
13.1
13.2
13.4
13.6
13.7
14.1
14.2
14.3
14.4
14.6
15.1
15.2
15.3
15.6
15.7
15.9
15.10
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
18.6
18.7
18.8
18.9
18.10
18.11
19.1
19.2
19.3
19.4
19.5
19.6
19.7
20.1
20.2
20.4
20.5
20.6
20.8
SAT Pro

v8 Safeguard #
1.1
1.2
1.3
1.4
2.1
2.2
2.3
2.4
2.5
2.6
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
5.1
5.2
5.3
5.4
5.5
5.6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
9.1
9.2
9.3
9.4
9.5
9.6
10.1
10.2
10.3
10.4
10.5
10.6
10.7
11.1
11.2
11.3
11.4
11.5
12.1
12.2
12.3
12.4
12.5
12.6
12.7
13.1
13.2
13.3
13.4
13.5
13.6
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
18.1
18.2
18.3
Instructions for Importing CIS CSAT Pro Scores
into CIS RAM
1) In CIS CSAT Pro, filter on IG1 and IG2 and Export Filtered CSV.
a. Go to the Assessment Summary page for the assessment of interest (this is reachable from the
Assessment Summary tab at the top of the Assessment Dashboard for that assessment).
b. Click the Filter button.

c. Select "IG-1 & IG-2" for the Implementation Group filter and click Search.
d. Click the "Export Filtered CSV" button to export the report.
2) Copy your scores from the exported CSAT Pro CSV file to the CIS RAM for IG2 Workbook.
a. In the CSAT Pro CSV file, copy the contents of column E (labeled “Sub-Control[1] Score”)
excluding the heading row.
b. Go to the “CIS CSAT Pro” tab in the CIS RAM for IG2 Workbook.
c. Find the appropriate section in the “CIS CSAT Pro” tab based on which CIS Controls version you
are using (either CSAT Pro for CIS Controls v7.1 or CSAT Pro for CIS Controls v8.0).
d. Paste the copied data into the appropriate section of the “CIS CSAT Pro” tab.
e. For instance, if you are using Controls v7.1, you might copy cells E2 to E141 from the CSAT Pro
CSV to C5 to C146 in the “CIS CSAT Pro” tab of the CIS RAM for IG2 Workbook.
3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, go to the appropriate CIS RAM tab – “3a. Risk Register Controls v7.1” for v7.1
of the CIS Controls or “3b. Risk Register Controls v8” for v8 of the CIS Controls.
a. Sort the Risk Register by ‘CIS Safeguard #,’ lowest to highest. (This is a critical step, as the Risk
Register is sorted by ‘Asset Class’ by default, not ‘CIS Safeguard #.’)
5) Copy the scores in the “CIS RAM Maturity Score Final” column into the “Safeguard Maturity Score”
column of the appropriate CIS RAM tab – “3a. Risk Register Controls v7.1” for v7.1 of the CIS Controls or
“3b. Risk Register Controls v8” for v8 of the CIS Controls.
a. Right-click to copy and “Paste Special” as “Values” (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT”
tabs, if present. If copied, these values can be deleted from the “Safeguard Maturity Score” cell and
will not affect the functionality of the CIS RAM Risk Register.
6) Re-sort the Risk Register by ‘Asset Class,’ A > Z.
Note: Please ensure that your enterprise's method for scoring Safeguards in CSAT Pro
aligns closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.
Maturity Scores
2
3
4
5
lease ensure that your enterprise's method for scoring Safeguards in CSAT Pro
closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.
Definition
Safeguard is implemented fully on some assets or partially on all assets.

Safeguard has mechanisms that ensure consistent implementation over time.
CIS-Hosted CSAT
Policy Defined Control Implemented
Maturity Scores
1 No Policy Not Implemented
2 Informal Policy Parts of Policy Implemented

3 Partially Written Policy Implemented on Some Systems
4 Written Policy Implemented on Most Systems
5 Approved Written Policy Implemented on All Systems
Unknown - Unscored None None
Unknown - N/A Not Applicable Not Applicable
CIS-Hosted CSAT for

CIS-Hosted CSAT Values From XLSX Export
CIS Controls v7.1
v7.1 Safeguard # Policy Defined Control Implemented
1.1
1.3
1.4
1.5
1.6
1.7
2.1
2.2
2.3
2.4
2.6
3.1
3.2
3.3
3.4
3.5
3.6
3.7
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
5.1
5.2
5.3
5.4
5.5
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
9.1
9.2
9.3
9.4
10.1
10.2
10.3
10.4
10.5
11.1
11.2
11.3
11.4
11.5
11.6
11.7
12.1
12.2
12.3
12.4
12.5
12.6
12.8
12.11
13.1
13.2
13.4
13.6
13.7
14.1
14.2
14.3
14.4
14.6
15.1
15.2
15.3
15.6
15.7
15.9
15.10
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
18.6
18.7
18.8
18.9
18.10
18.11
19.1
19.2
19.3
19.4
19.5
19.6
19.7
20.1
20.2
20.4
20.5
20.6
20.8
CIS-Hosted CSAT
Control Automated Control Reported
Maturity Scores
Not Automated Not Reported 1
Parts of Policy Automated Parts of Policy Reported 2

Automated on Some Systems Reported on Some Systems 3
Automated on Most Systems Reported on Most Systems 4
Automated on All Systems Reported on All Systems 5
Unknown -
None None
Unscored
Not Applicable Not Applicable Unknown - N/A
d CSAT Values From XLSX Export Calculated Numerical Score
Control Automated Control Reported Policy Defined Control Implemented
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
CIS-Hosted CSA
ulated Numerical Score

CIS RAM Maturity Score CIS RAM Maturity Score
Average Final
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
sted CSAT
CIS-Hosted CSAT for CIS

Controls v8.0
v8 Safeguard # Policy Defined Control Implemented
1.1
1.2
1.3
1.4
2.1
2.2
2.3
2.4
2.5
2.6
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
5.1
5.2
5.3
5.4
5.5
5.6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
9.1
9.2
9.3
9.4
9.5
9.6
10.1
10.2
10.3
10.4
10.5
10.6
10.7
11.1
11.2
11.3
11.4
11.5
12.1
12.2
12.3
12.4
12.5
12.6
12.7
13.1
13.2
13.3
13.4
13.5
13.6
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
18.1
18.2
18.3
CSAT Values From XLSX Export Calculated Numerical Score
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
lculated Numerical Score
CIS RAM Maturity CIS RAM Maturity
Score Average Score Final
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
Instructions for Importing CIS-Hosted CSAT Scores
RAM
1) In CIS-Hosted CSAT, filter on IG1 and IG2 and export the filtered Safeguards.
a. Go to the All Controls page for the assessment of interest (this is reachable from the All Control
the left under “Current Assessment”).
b. Click the Filter button.
c. Select both “Group 1” and “Group 2” for the Implementation Group filter and click Filter.
d. Check to see if any of these Safeguards are in the blue (Not Assessed) state. You can see this
there will be a colored circle in each row by the Safeguard number. Any Safeguards that have a blue
export; if you have any blue Safeguards and you want to continue these steps, one way to get them
to:
i. Select the checkbox next to each blue Safeguard.
ii. Select “Un-Assign the control” from the Bulk Action option dropdown and click the “Save”
dropdown. Please note: If any of the selected Safeguards were assigned, this will remove the
date.
e. Click the Download Report button to export the report.
2) Copy your scores from the exported CIS-Hosted CSAT XLSX file to the CIS RAM for IG2 Workbook.
a. In the CIS-Hosted CSAT XLSX file, copy the contents of columns E through H (labeled Policy D
Implemented, Control Automated, and Control Reported) excluding the heading row.
b. Go to the “CIS-Hosted CSAT” tab in the CIS RAM for IG2 Workbook.
c. Find the appropriate section in the “CIS-Hosted CSAT” tab based on which CIS Controls version
CIS-Hosted CSAT for CIS Controls v7.1 or CIS-Hosted CSAT for CIS Controls v8).
d. Paste the copied data into the appropriate section of the “CIS-Hosted CSAT” tab.
e. For instance, if you are using Controls v7.1, you might copy the cells from E2:E141 over to H2:H
Hosted CSAT XLSX file, select cell C14 in the “CIS-Hosted CSAT” tab in the CIS RAM for IG2 Workb
there.
3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, go to the appropriate CIS RAM tab – “3a. Risk Register Controls v7.1” for v7.1 o
“3b. Risk Register Controls v8” for v8 of the CIS Controls.
a. Sort the Risk Register by ‘CIS Safeguard #,’ lowest to highest. (This is a critical step, as the Ris
‘Asset Class’ by default, not ‘CIS Safeguard #.’)
5) Copy the scores in the “CIS RAM Maturity Score Final” column into the “Safeguard Maturity Score” colu
CIS RAM tab – “3a. Risk Register Controls v7.1” for v7.1 of the CIS Controls or “3b. Risk Register Controls v
Controls.
a. Right-click to copy and “Paste Special” as “Values” (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT
copied, these values can be deleted from the “Safeguard Maturity Score” cell and will not affect the f
RAM Risk Register.
6) Re-sort the Risk Register by ‘Asset Class,’ A > Z.
Note: This method will average the four scoring categories in CIS-Hosted CSAT for each Safegu
those averages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, a
to ensure this method aligns closely enough for your enterprise's scoring practice
Maturity Scores
3
4
5
is method will average the four scoring categories in CIS-Hosted CSAT for each Safeguard and aligns
ages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, as defined below,
to ensure this method aligns closely enough for your enterprise's scoring practices.
Definition
Safeguard is implemented fully on some assets or partially on all assets.

Safeguard has mechanisms that ensure consistent implementation over time.

1 Mission
Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Descr
determine that the impacts to your mission were acceptable, or unacceptable.
Impact Magnitude
Negligible
Acceptable
Unacceptable
High
Catastrophic
Operational
2
Objectives
determine that the impacts to your operational objectives were acceptable, or unacceptable.
Impact Magnitude
Negligible
Acceptable
Unacceptable
High
Catastrophic
3 Financial Objectives
determine that the impacts to your financial objectives were acceptable, or unacceptable.
Impact Magnitude
Negligible
Acceptable
Unacceptable
High
Catastrophic
4 Obligations
determine that the impacts to your obligations (harm, to others) were acceptable, or unacceptable.
Impact Magnitude
Negligible
Acceptable
Unacceptable
High
Catastrophic
Prompt
How would you concisely describe the benefit that your enterprise
provides your customers, clients, constituents, or the public? This is
why they engage in this risk with you.
agine that your enterprise suffers a cybersecurity or information security incident. Describe in the spaces provided below how you would
he impacts to your mission were acceptable, or unacceptable.
Prompt
What observable evidence would you have that your mission - as you
defined it above - would be unaffected?
What observable evidence would you have that your mission would be
compromised, but it would not require correction?
compromised in a way that would require correction, but the correction
could be achieved through the normal course of business?
compromised so badly that extraordinary efforts would be required to
restore it?
compromised so badly that it could not be achieved?
Prompt
What business or organizational goals does the enterprise attempt to

achieve?
he impacts to your operational objectives were acceptable, or unacceptable.
Prompt

objectives would be compromised, but it would not require correction?

correction, but the correction could be achieved through the normal
course of business?
objectives would be compromised so badly that extraordinary efforts
would be required to restore them?
objectives would be compromised so badly that they could not be
achieved?
Prompt
What are the unexpected cost outlays that your enterprise could or
could not tolerate?
he impacts to your financial objectives were acceptable, or unacceptable.
Prompt
What observable evidence would you have that your financial objectives
- as you defined them above - would be unaffected?
would be compromised, but it would not require correction?
would be compromised in a way that would require correction, but the
correction could be achieved through the normal course of business?
would be compromised so badly that extraordinary efforts would be
required to restore them?
Leave this blank
Prompt
What harm may foreseeably come to others as a result of a

cybersecurity incident?
he impacts to your obligations (harm, to others) were acceptable, or unacceptable.
Prompt
Describe a condition where others would not be harmed.
Describe a condition where others would not be harmed to a degree

that required correction or compensation.
Describe a condition where one or few others would be harmed to a

degree that you could correct.
Describe a condition where many others would be harmed to a degree
that you could correct, or where few others are harmed to a degree that
others would always have a small degree of impairment.
Describe a condition where others would be irreparably harmed.

Response
Reliably produce just-in-time, custom widgets that meet
demanding resiliency and design specifications, and
within market-leading turnaround times.
incident. Describe in the spaces provided below how you would

All data on this page is considered
reflect any one individual organiza
to be used for demo
Response
All orders would be produced within specifications and on
time and without unplanned effort.
time, but some may require unplanned effort to stay within
tolerance metrics.
Few orders each quarter (outside of our tolerance metrics)

may miss targets, but could be corrected with adjustments
or discounts.
We would repeatedly miss targets outside of tolerance

metrics, requiring regular adjustments or discounts per
quarter, or would require significant re-investment to
operate regularly within our tolerance metrics.
We could not meet our mission.
Response
To maintain our market position as the best custom

widgets manufacturer.

le.
Response
Ranked as #1 in all categories in annual "Custom Widget
World" Magazine poll.
Ranked as #1 in only one category of "Custom Widget

World" Magazine poll for only one year.
Not ranked #1 in any category of "Custom Widget World"

Magazine poll for one year.
Not ranked in top three in any category of "Custom

Widget World" Magazine poll for two years or more.
Unable to rank well in annual "Custom Widget World"
Magazine poll.
Response
To achieve our profit goals each year.
Response
$1,000
This enterprise could
tolerate a loss up to
$10,000 $10,000.
If this enterprise loses
more than $500,000,
$500,000 they could not recover.
$5,000,000
Response
To protect our customers from harm due to loss of their

intellectual property.

cceptable.
Response
No customer would suffer a loss of competitive
advantage.
One or few customers may be concerned about potential

loss of competitive advantage, but no harm would result.
One or few customers would suffer minor loss of

competitive advantage, but they could be made whole
Many customers would suffer minor loss of competitive
advantage, or one to few customers would suffer harm
that would require significant business investment or
planning to recover.
We would not be able to protect our customers from
losses due to intellectual property theft.
on this page is considered sample data only, and not meant to
any one individual organization's Impact Criteria Survey. Only
to be used for demonstration purposes.
1 Enterprise Risk Assessment Criteria
2 Impact Criteria
Impact Scores
Definition
1. Negligible
2. Acceptable
3. Unacceptable
4. High
5. Catastrophic
3 Expectancy Criteria
Expectancy Score
1
2
3
4
5
4 Risk Acceptance Criteria
We would start to invest against risks to prevent

this expectancy and impact, or higher.
5 Inherent Risk Criteria
Asset Class
Enterprise
Devices
Applications
Data
Network
Users
Enterprise Name
Scope
Last Completed (Date)
Mission
Reliably produce just-in-time, custom widgets that meet
demanding resiliency and design specifications, and
within market-leading turnaround times.
time and without unplanned effort.
time, but some may require unplanned effort to stay within
tolerance metrics.
Few orders each quarter (outside of our tolerance
metrics) may miss targets, but could be corrected with
adjustments or discounts.
We would repeatedly miss targets outside of tolerance

metrics, requiring regular adjustments or discounts per
quarter, or would require significant re-investment to
operate regularly within our tolerance metrics.
We could not meet our mission.
Expectancy
Remote
Unlikely
As likely as not
Likely
Certain
Expectancy
3
Acceptable Risk is less than …
What is the highest impact to the Mission, Operational Objectives, Financial Objectives, and Obligations that each Asset Type c
The "Enterprise" Asset Class will automatically use the highest Impact Score you provide for the assets below.
Mission Impact
4
2
4
3
3
3
Example Manufacturer
Enterprise
31-Jul-21
Operational Objectives
To maintain our market position as the best custom

widgets manufacturer.
Ranked as #1 in all categories in annual "Custom Widget

World" Magazine poll.
Ranked as #1 in only one category of "Custom Widget

World" Magazine poll for only one year.
Not ranked #1 in any category of "Custom Widget World"

Magazine poll for one year.
Not ranked in top three in any category of "Custom

Widget World" Magazine poll for two years or more.
Unable to rank well in annual "Custom Widget World"

Magazine poll.
Criteria
Safeguard would reliably prevent the threat.
Safeguard would reliably prevent most occurrences of the
threat.
Safeguard would prevent as many threat occurrences as
it would miss.
Safeguard would prevent few threat occurrences.
Safeguard would not prevent threat occurrences.
Impact
3
9
rational Objectives, Financial Objectives, and Obligations that each Asset Type could cause?
use the highest Impact Score you provide for the assets below.
Operational Objectives Impact

4
1
2
4
4
3
Financial Objectives
To achieve our profit goals each year.
$ 1,000.00
$ 10,000.00
$ 500,000.00
$ 5,000,000.00
hat each Asset Type could cause?
elow.
Financial Objectives Impact

5
3
4
5
3
4
Obligations
To protect our customers from harm due to loss of their

intellectual property.
No customer would suffer a loss of competitive

advantage.
One or few customers may be concerned about potential

loss of competitive advantage, but no harm would result.
One or few customers would suffer minor loss of

competitive advantage, but they could be made whole
Many customers would suffer minor loss of competitive

advantage, or one to few customers would suffer harm
that would require significant business investment or
planning to recover.
We would not be able to protect our customers from

losses due to intellectual property theft.
Obligations Impact
The highest
5 Obligations Impact
3 Score that an asset
5 could cause would be
2 '4'.
If the network in this
1 enterprise were
4 compromised, the
highest Obligations
Impact it could create
would be '1'.
Enterprise Name Example Manufacturer
Enterprise Risk Scope Enterprise
Assessment Criteria Last Completed (Date) 31-Jul-21
Risk Register
Asset Class Asset Name CIS Safeguard #
Applications Fabricore 2.1
Applications 2.1
Applications 2.2

Applications 7.3
Applications 7.4
Applications 7.5
Applications 7.6
Applications 7.7
Applications 9.1
Applications 9.4
Applications 16.1
Applications 16.2
Applications 16.3
Applications 16.4
Applications 16.5
Applications 16.6
Applications 16.7
Applications 16.8
Applications 16.9
Applications 16.10
Applications 16.11
Data 3.1
Data 3.2
Data 3.3
Data 3.4
Data 3.5
Data 3.7
Data 3.8
Data 3.9
Data 3.10
Data 3.11
Data 11.1
Data 11.2
Data 11.3
Data 11.4
Data 11.5
Devices 1.1
Devices 1.2
Devices 1.3
Devices 1.4
Devices 3.6
Devices 4.4
Devices 4.5
Devices 4.8
Devices 4.9
Devices 4.10
Devices 4.11
Devices 8.8
Devices 10.1
Devices 10.2
Devices 10.3
Devices 10.4
Devices 10.5
Devices 10.6
Devices 10.7
Devices 12.7
Devices 13.2
Devices 13.5
Enterprise 14.1
Enterprise 14.2
Enterprise 14.3
Enterprise 14.4
Enterprise 14.5
Enterprise 14.6
Enterprise 14.7
Enterprise 14.8
Enterprise 14.9
Enterprise 15.1
Enterprise 15.2
Enterprise 15.3
Enterprise 15.4
Enterprise 17.1
Enterprise 17.2
Enterprise 17.3
Enterprise 17.4
Enterprise 17.5
Enterprise 17.6
Enterprise 17.7
Enterprise 17.8
Enterprise 18.1
Network 3.12
Network 4.2
Network 4.6
Network 8.1
Network 8.2
Network 8.3
Network 8.4
Network 8.5
Network 8.6
Network 8.7
Network 8.9
Network 8.10
Network 8.11
Network 9.2
Network 9.3
Network 9.5
Network 9.6
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 13.1
Network 13.3
Network 13.4
Network 13.6
Network 18.2
Network 18.3
Users 4.3
Users 4.7
Users 5.1
Users 5.2
Users 5.3
Users 5.4
Users 5.5
Users 5.6
Users 6.1
Users 6.2
Users 6.3
Users 6.4
Users 6.5
Users 6.6
Users 6.7
Manufacturer
e
All data on this page is considered sample da
CIS Safeguard Title IG1 IG2 NIST CSF Security Function

x x Identify
Inventory

x x Identify
Inventory

x x Identify
Currently Supported

x x Identify
Currently Supported
Address Unauthorized Software x x Respond
Utilize Automated Software Inventory

x Detect
Tools
Allowlist Authorized Software x Protect
Allowlist Authorized Libraries x Protect

x x Protect
Configuration Process

x x Protect
Vulnerability Management Process

x x Respond
Remediation Process

x x Protect
x x Protect
Patch Management

x Identify
Scans of Internal Enterprise Assets

Scans of Externally-Exposed x Identify
Enterprise Assets
Remediate Detected Vulnerabilities x Respond

x x Protect
Unauthorized Browser and Email x Protect
Client Extensions

x Protect
Application Development Process
Establish and Maintain a Process to
Accept and Address Software x Protect
Vulnerabilities
Perform Root Cause Analysis on

x Protect
Security Vulnerabilities
Establish and Manage an Inventory

x Protect
of Third-Party Software Components
Use Up-to-Date and Trusted Third-

x Protect
Party Software Components
Establish and Maintain a Severity

Rating System and Process for x Protect

Configuration Templates for x Protect

x Protect
Production Systems

Security Concepts and Secure x Protect
Coding
Apply Secure Design Principles in

x Protect
Application Architectures
Services for Application Security x Protect
Components

x x Identify
Management Process

x x Identify
Inventory
Configure Data Access Control Lists x x Protect
Enforce Data Retention x x Protect
Securely Dispose of Data x x Protect

x Identify
Document Data Flows x Identify
Encrypt Data on Removable Media x Protect

Encrypt Sensitive Data in Transit x Protect
Encrypt Sensitive Data at Rest x Protect

x x Recover
Recovery Process
Perform Automated Backups x x Recover
Protect Recovery Data x x Protect
Establish and Maintain an Isolated

x x Recover
Instance of Recovery Data
Test Data Recovery x Recover

x x Identify
Utilize an Active Discovery Tool x Detect
Use Dynamic Host Configuration

Protocol (DHCP) Logging to Update x Identify
Encrypt Data on End-User Devices x x Protect

x x Protect
Servers

x x Protect
End-User Devices
Uninstall or Disable Unnecessary

Services on Enterprise Assets and x Protect
Software
Configure Trusted DNS Servers on

x Protect
Enterprise Assets
Enforce Automatic Device Lockout

x Respond
on Portable End-User Devices
Enforce Remote Wipe Capability on

x Protect
Portable End-User Devices
Collect Command-Line Audit Logs x Detect

Deploy and Maintain Anti-Malware
x x Protect
Software
x x Protect
Signature Updates
Disable Autorun and Autoplay for
x x Protect
Removable Media
x Detect
Scanning of Removable Media
Enable Anti-Exploitation Features x Protect

x Protect
Software
Use Behavior-Based Anti-Malware
x Detect
Software
Ensure Remote Devices Utilize a
VPN and are Connecting to an x Protect
x Detect
Detection Solution
Manage Access Control for Remote

x Protect
Assets
Establish and Maintain a Security

x x Protect
Awareness Program

Recognize Social Engineering x x Protect
Attacks
x x Protect
Train Workforce on Data Handling

x x Protect
Best Practices

Causes of Unintentional Data x x Protect
Exposure
Recognizing and Reporting Security x x Protect
Incidents
Train Workforce on How to Identify

and Report if Their Enterprise Assets x x Protect
are Missing Security Updates
Train Workforce on the Dangers of

Connecting to and Transmitting
x x Protect
Enterprise Data Over Insecure
Networks

x Protect

x x Identify
of Service Providers
Establish and Maintain a Service
x Identify
Provider Management Policy
Classify Service Providers x Identify
Ensure Service Provider Contracts

x Protect
Include Security Requirements
Designate Personnel to Manage

x x Respond
Incident Handling

Information for Reporting Security x x Respond
Incidents
Establish and Maintain an Enterprise

x x Respond
Process for Reporting Incidents
Establish and Maintain an Incident

x Respond
Response Process

x Respond
Responsibilities

Communicating During Incident x Respond
Response
Conduct Routine Incident Response

x Recover
Exercises
Conduct Post-Incident Reviews x Recover

Establish and Maintain a Penetration
x Identify
Testing Program

x Protect
Configuration Process for Network x x Protect
Infrastructure
Securely Manage Enterprise Assets

x x Protect
and Software
Establish and Maintain an Audit Log

x x Protect
Management Process
Collect Audit Logs x x Detect
Ensure Adequate Audit Log Storage x x Protect
Standardize Time Synchronization x Protect
Collect Detailed Audit Logs x Detect
Collect DNS Query Audit Logs x Detect

Collect URL Request Audit Logs x Detect
Centralize Audit Logs x Detect
Retain Audit Logs x Protect
Conduct Audit Log Reviews x Detect
Use DNS Filtering Services x x Protect

x Protect
Based URL Filters
Implement DMARC x Protect
Ensure Network Infrastructure is Up-

x x Protect
to-Date

x Protect
Network Architecture
x Protect
Infrastructure
Establish and Maintain Architecture

x Identify
Diagram(s)
Centralize Network Authentication,

x Protect
Authorization, and Auditing (AAA)
Use of Secure Network Management

x Protect
and Communication Protocols
Centralize Security Event Alerting x Detect
Deploy a Network Intrusion Detection

x Detect
Solution
Perform Traffic Filtering Between

x Protect
Network Segments
Collect Network Traffic Flow Logs x Detect

x Identify
Penetration Tests
Remediate Penetration Test Findings x Protect

x x Protect

x x Protect

x x Identify
of Accounts
Use Unique Passwords x x Protect
Restrict Administrator Privileges to

x x Protect
Dedicated Administrator Accounts

x Identify
of Service Accounts
Centralize Account Management x Protect

x x Protect
Process

x x Protect
Process
Require MFA for Externally-Exposed

x x Protect
Applications
Require MFA for Remote Network

x x Protect
Access
x x Protect
Access
of Authentication and Authorization x Identify
Systems
Centralize Access Control x Protect

n this page is considered sample data only, and not meant to reflect an individual organization's risk register.
Risk Analysis
Our Implementation Evidence of Implementation Vulnerabilities
We use AppXYZControl that Monthly scan reports and Shell scripting tools and compilers are
monitors for applications "diff" reports are located in \\ permitted, but we have no way of
installed on all servers and end- fileserverALPHA\evidence\ validating scripts, or side-loaded
user systems. 20211212\2\ applications.
We use AppXYZControl that Monthly scan reports and Shell scripting tools and compilers are
monitors for applications "diff" reports are located in \\ permitted, but we have no way of
installed on some servers and fileserverALPHA\evidence\ validating scripts, or side-loaded
end-user systems. 20211212\2\ applications.
AppXYZControl validates that

Monthly scan reports and
installed applications are
"diff" reports are located in \\
currently supported, and that None observed
fileserverALPHA\evidence\
current versions are
20211212\2\
implemented.
AppXYZControl validates for

some servers and workstations Monthly scan reports and
that installed applications are "diff" reports are located in \\
None observed
currently supported, and that fileserverALPHA\evidence\
current versions are 20211212\2\
implemented.
Monthly exceptions reports

are located in \\
AppXYZControl identifies
fileserverALPHA\evidence\
installed applications that were
20211212\2\. Shell scripting tools are permitted, but we
not permitted and alerts the
have no way of validating scripts, or
Ops team. Ops team removes
Tickets for uninstall of uninstalled applications.
unapproved applications within
unapproved applications are
five business days.
located in \\fileserverALPHA\
evidence\20211212\2\.
We use AppXYZControl that Monthly scan reports and

monitors for applications "diff" reports are located in \\
None observed
installed on all servers and end- fileserverALPHA\evidence\
user systems. 20211212\2\
AppXYZControl uses a list of
Monthly exceptions reports AppXYZControl identifies applications
approved software in its scans
are located in \\ after they were installed. We are not
and identifies installed
fileserverALPHA\evidence\ preventing unauthorized applications
applications that are not on that
20211212\2\. from being installed.
list.
AppXYZControl uses a list of
Monthly exceptions reports AppXYZControl identifies applications
approved software libraries in
are located in \\ after they were installed. We are not
its scans and identified installed
fileserverALPHA\evidence\ preventing unauthorized applications
applications that are not on that
20211212\2\. from being installed.
list.
End-user systems and servers

SCAP policy files for each
are built using images that we System images are not built from known-
server and workstation type
developed for business secure standards, such as vendor-
are located in \\
purposes and for minimum use provided or community-provided SCAP
fileserverBETA\SCAP\
(fewest processes, services, polices.
current\.
and applications).
The Ops team reviews all vulnerabilities,

We use ACME Hunter to scan
but does not resolve vulnerabilities that
for vulnerabilities on all systems
are out of our control, or that would
on a weekly basis.
"break" systems.
ACME's Ops team remediates The Ops team reviews all vulnerabilities,
vulnerabilities that they are but does not resolve vulnerabilities that
certain will not compromise are out of our control, or that would
system performance. "break" systems.
rganization's risk register. Only to be used for demonstration purposes.
Impact to Impact to
Safeguard Expectancy Impact to
VCDB Index Operational Financial
Maturity Score Score Mission
3 2 2 4 2 4
2 2 3 4 2 4
5 2 1 4 2 4
2 2 3 4 2 4
4 2 2 4 2 4
5 2 1 4 2 4
4 2 2 4 2 4
5 2 1 4 2 4
2 2 3 4 2 4
3 2 2 4 2 4
2 2 3 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 3 4 3 4 5
2 3 4 3 4 5
1 3 5 3 4 5
2 3 4 3 4 5
4 3 2 3 4 5
3 3 3 3 4 5
3 3 3 3 4 5
1 3 5 3 4 5
1 3 5 3 4 5
2 3 4 3 4 5
3 3 4 5
3 3 4 5
3 3 4 5
3 3 4 5
3 3 4 5
5 1 1 2 1 3
3 1 1 2 1 3
2 1 3 2 1 3
4 1 1 2 1 3
3 1 1 2 1 3
1 1 4 2 1 3
2 1 3 2 1 3
1 1 4 2 1 3
2 1 3 2 1 3
4 1 1 2 1 3
2 1 3 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
4 1 1 3 4 3
1 1 4 3 4 3
4 1 1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 5 3 3 4
3 3 3 3 3 4
5 3 1 3 3 4
1 3 5 3 3 4
2 3 4 3 3 4
3 3 3 3 3 4
4 3 2 3 3 4
5 3 1 3 3 4
2 3 4 3 3 4
1 3 5 3 3 4
1 3 5 3 3 4
3 3 3 3 3 4
3 3 3 4
3 3 3 4
3 3 3 4
Risk
Register
Impact to
Risk Score Risk Level Risk Treatment Option Risk Treatment Safeguard
Obligations
5 10 Reduce 2.1
5 15 Reduce 2.1
5 5 Accept 2.2
5 15 Reduce 2.2
5 10 Reduce 2.3
5 5 Accept 2.4
5 10 Reduce 2.5
5 5 Accept 2.6
5 15 Reduce 4.1
5 10 Reduce 7.1
5 15 Reduce 7.2
5 7.3
5 7.4
5 7.5
5 7.6
5 7.7
5 9.1
5 9.4
5 16.1
5 16.2
5 16.3
5 16.4
5 16.5
5 16.6
5 16.7
5 16.8
5 16.9
5 16.1
5 16.11
2 20 3.1
2 20 3.2
2 25 3.3
2 20 3.4
2 10 3.5
2 15 3.7
2 15 3.8
2 25 3.9
2 25 3.1
2 20 3.11
2 11.1
2 11.2
2 11.3
2 11.4
2 11.5
3 3 1.1
3 3 1.2
3 9 1.3
3 3 1.4
3 3 3.6
3 12 4.4
3 9 4.5
3 12 4.8
3 9 4.9
3 3 4.1
3 9 4.11
3 8.8
3 10.1
3 10.2
3 10.3
3 10.4
3 10.5
3 10.6
3 10.7
3 12.7
3 13.2
3 13.5
5 14.1
5 14.2
5 14.3
5 14.4
5 14.5
5 14.6
5 14.7
5 14.8
5 14.9
5 15.1
5 15.2
5 15.3
5 15.4
5 17.1
5 17.2
5 17.3
5 17.4
5 17.5
5 17.6
5 17.7
5 17.8
5 18.1
1 4 3.12
1 16 4.2
1 4 4.6
1 8.1
1 8.2
1 8.3
1 8.4
1 8.5
1 8.6
1 8.7
1 8.9
1 8.1
1 8.11
1 9.2
1 9.3
1 9.5
1 9.6
1 12.1
1 12.2
1 12.3
1 12.4
1 12.5
1 12.6
1 13.1
1 13.3
1 13.4
1 13.6
1 18.2
1 18.3
4 20 4.3
4 12 4.7
4 4 5.1
4 20 5.2
4 16 5.3
4 12 5.4
4 8 5.5
4 4 5.6
4 16 6.1
4 20 6.2
4 20 6.3
4 12 6.4
4 6.5
4 6.6
4 6.7
Risk Treatment
Safeguard Title
Establish and Maintain a Software Inventory
Establish and Maintain a Software Inventory
Ensure Authorized Software is Currently Supported
Ensure Authorized Software is Currently Supported
Address Unauthorized Software
Utilize Automated Software Inventory Tools

Allowlist Authorized Software
Allowlist Authorized Libraries
Establish and Maintain a Secure Configuration Process
Establish and Maintain a Vulnerability Management Process
Establish and Maintain a Remediation Process
Perform Automated Operating System Patch Management
Perform Automated Application Patch Management
Perform Automated Vulnerability Scans of Internal Enterprise Assets
Perform Automated Vulnerability Scans of Externally-Exposed

Enterprise Assets
Remediate Detected Vulnerabilities
Ensure Use of Only Fully Supported Browsers and Email Clients
Restrict Unnecessary or Unauthorized Browser and Email Client

Extensions
Establish and Maintain a Secure Application Development Process

Establish and Maintain a Process to Accept and Address Software
Vulnerabilities
Perform Root Cause Analysis on Security Vulnerabilities
Establish and Manage an Inventory of Third-Party Software

Components
Use Up-to-Date and Trusted Third-Party Software Components
Establish and Maintain a Severity Rating System and Process for

Use Standard Hardening Configuration Templates for Application

Infrastructure
Separate Production and Non-Production Systems
Train Developers in Application Security Concepts and Secure

Coding
Apply Secure Design Principles in Application Architectures

Leverage Vetted Modules or Services for Application Security
Components
Establish and Maintain a Data Management Process
Establish and Maintain a Data Inventory
Configure Data Access Control Lists
Enforce Data Retention
Securely Dispose of Data
Establish and Maintain a Data Classification Scheme
Document Data Flows
Encrypt Data on Removable Media

Encrypt Sensitive Data in Transit
Encrypt Sensitive Data at Rest
Establish and Maintain a Data Recovery Process
Perform Automated Backups
Protect Recovery Data
Establish and Maintain an Isolated Instance of Recovery Data
Test Data Recovery

Establish and Maintain Detailed Enterprise Asset Inventory
Address Unauthorized Assets
Utilize an Active Discovery Tool
Use Dynamic Host Configuration Protocol (DHCP) Logging to

Update Enterprise Asset Inventory
Encrypt Data on End-User Devices
Implement and Manage a Firewall on Servers
Implement and Manage a Firewall on End-User Devices
Uninstall or Disable Unnecessary Services on Enterprise Assets and

Software
Configure Trusted DNS Servers on Enterprise Assets
Enforce Automatic Device Lockout on Portable End-User Devices
Enforce Remote Wipe Capability on Portable End-User Devices
Collect Command-Line Audit Logs
Deploy and Maintain Anti-Malware Software
Configure Automatic Anti-Malware Signature Updates
Disable Autorun and Autoplay for Removable Media
Configure Automatic Anti-Malware Scanning of Removable Media
Enable Anti-Exploitation Features

Centrally Manage Anti-Malware Software
Use Behavior-Based Anti-Malware Software
Ensure Remote Devices Utilize a VPN and are Connecting to an

Deploy a Host-Based Intrusion Detection Solution
Manage Access Control for Remote Assets
Establish and Maintain a Security Awareness Program
Train Workforce Members to Recognize Social Engineering Attacks
Train Workforce Members on Authentication Best Practices
Train Workforce on Data Handling Best Practices
Train Workforce Members on Causes of Unintentional Data

Exposure
Train Workforce Members on Recognizing and Reporting Security

Incidents
Train Workforce on How to Identify and Report if Their Enterprise

Assets are Missing Security Updates
Train Workforce on the Dangers of Connecting to and Transmitting

Enterprise Data Over Insecure Networks
Conduct Role-Specific Security Awareness and Skills Training
Establish and Maintain an Inventory of Service Providers

Establish and Maintain a Service Provider Management Policy
Classify Service Providers
Ensure Service Provider Contracts Include Security Requirements
Designate Personnel to Manage Incident Handling
Establish and Maintain Contact Information for Reporting Security

Incidents
Establish and Maintain an Enterprise Process for Reporting

Incidents
Establish and Maintain an Incident Response Process
Assign Key Roles and Responsibilities
Define Mechanisms for Communicating During Incident Response
Conduct Routine Incident Response Exercises
Conduct Post-Incident Reviews

Establish and Maintain a Penetration Testing Program
Segment Data Processing and Storage Based on Sensitivity
Establish and Maintain a Secure Configuration Process for Network

Infrastructure
Securely Manage Enterprise Assets and Software
Establish and Maintain an Audit Log Management Process
Collect Audit Logs
Ensure Adequate Audit Log Storage
Standardize Time Synchronization
Collect Detailed Audit Logs
Collect DNS Query Audit Logs

Collect URL Request Audit Logs
Centralize Audit Logs
Retain Audit Logs
Conduct Audit Log Reviews
Use DNS Filtering Services
Maintain and Enforce Network-Based URL Filters
Implement DMARC
Block Unnecessary File Types
Ensure Network Infrastructure is Up-to-Date
Establish and Maintain a Secure Network Architecture

Securely Manage Network Infrastructure
Establish and Maintain Architecture Diagram(s)
Centralize Network Authentication, Authorization, and Auditing

(AAA)
Use of Secure Network Management and Communication Protocols
Centralize Security Event Alerting
Deploy a Network Intrusion Detection Solution
Perform Traffic Filtering Between Network Segments
Collect Network Traffic Flow Logs
Perform Periodic External Penetration Tests
Remediate Penetration Test Findings
Configure Automatic Session Locking on Enterprise Assets
Manage Default Accounts on Enterprise Assets and Software
Establish and Maintain an Inventory of Accounts
Use Unique Passwords
Disable Dormant Accounts
Restrict Administrator Privileges to Dedicated Administrator

Accounts
Establish and Maintain an Inventory of Service Accounts
Centralize Account Management

Establish an Access Granting Process
Establish an Access Revoking Process
Require MFA for Externally-Exposed Applications
Require MFA for Remote Network Access
Require MFA for Administrative Access
Establish and Maintain an Inventory of Authentication and

Authorization Systems
Centralize Access Control

Risk Treatment
Safeguard Description
Establish and maintain a detailed inventory of all licensed software installed on enterprise
assets. The software inventory must document the title, publisher, initial install/use date, and
business purpose for each entry; where appropriate, include the Uniform Resource Locator
(URL), app store(s), version(s), deployment mechanism, and decommission date. Review and
update the software inventory bi-annually, or more frequently.
Establish and maintain a detailed inventory of all licensed software installed on enterprise
assets. The software inventory must document the title, publisher, initial install/use date, and
business purpose for each entry; where appropriate, include the Uniform Resource Locator
(URL), app store(s), version(s), deployment mechanism, and decommission date. Review and
update the software inventory bi-annually, or more frequently.
Ensure that only currently supported software Thisisenterprise
designated as authorized in the software
inventory for enterprise assets. If software is unsupported,
believes that yet necessary for the fulfillment of the
enterprise’s mission, document an exception detailing mitigating controls and residual risk
permitting script
acceptance. For any unsupported software engines
without an
on exception
only documentation, designate as
unauthorized. Review the software list to verify
systemsoftware
adminsupport at least monthly, or more
frequently. computers will address
this risk.
Ensure that only currently supported software is designated as authorized in the software
inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the
enterprise’s mission, document an exception detailing mitigating controls and residual risk
acceptance. For any unsupported software without an exception documentation, designate as
unauthorized. Review the software list to verify software support at least monthly, or more
frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a
documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the
discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized software
can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized
libraries from loading into a system process. Reassess bi-annually, or more frequently.
Establish and maintain a secure configuration process for enterprise assets (end-user devices,
including portable and mobile, non-computing/IoT devices, and servers) and software (operating
systems and applications). Review and update documentation annually, or when significant
Establish and maintain a documented vulnerability management process for enterprise assets.
Review and update documentation annually, or when significant enterprise changes occur that
Establish and maintain a risk-based remediation strategy documented in a remediation process,

with monthly, or more frequent, reviews.
Perform operating system updates on enterprise assets through automated patch management
on a monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch management on a
monthly, or more frequent, basis.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more
frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-
compliant vulnerability scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-

compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or

more frequent, basis, based on the remediation process.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise,
only using the latest version of browsers and email clients provided through the vendor.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or

email client plugins, extensions, and add-on applications.
Establish and maintain a secure application development process. In the process, address such
items as: secure application design standards, secure coding practices, developer training,
vulnerability management, security of third-party code, and application security testing
procedures. Review and update documentation annually, or when significant enterprise changes
Establish and maintain a process to accept and address reports of software vulnerabilities,
including providing a means for external entities to report. The process is to include such items
as: a vulnerability handling policy that identifies reporting process, responsible party for handling
vulnerability reports, and a process for intake, assignment, remediation, and remediation
testing. As part of the process, use a vulnerability tracking system that includes severity ratings,
and metrics for measuring timing for identification, analysis, and remediation of
vulnerabilities. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that helps to
set expectations for outside stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root
cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and
allows development teams to move beyond just fixing individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development,

often referred to as a “bill of materials,” as well as components slated for future use. This
inventory is to include any risks that each third-party component could pose. Evaluate the list at
least monthly to identify any changes or updates to these components, and validate that the
component is still supported.
Use up-to-date and trusted third-party software components. When possible, choose established
and proven frameworks and libraries that provide adequate security. Acquire these components
from trusted sources or evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for application vulnerabilities that
facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process
includes setting a minimum level of security acceptability for releasing code or applications.
Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management
and helps ensure the most severe bugs are fixed first. Review and update the system and
process annually.
Use standard, industry-recommended hardening configuration templates for application
infrastructure components. This includes underlying servers, databases, and web servers, and
applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components.
Do not allow in-house developed software to weaken configuration hardening.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities. Training can include general security
principles and application security standard practices. Conduct training at least annually and
design in a way to promote security within the development team, and build a culture of security
among the developers.
Apply secure design principles in application architectures. Secure design principles include the
concept of least privilege and enforcing mediation to validate every operation that the user
makes, promoting the concept of "never trust user input." Examples include ensuring that explicit
error checking is performed and documented for all input, including for size, data type, and
acceptable ranges or formats. Secure design also means minimizing the application
infrastructure attack surface, such as turning off unprotected ports and services, removing
unnecessary programs and files, and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as identity
management, encryption, and auditing and logging. Using platform features in critical security
functions will reduce developers’ workload and minimize the likelihood of design or
implementation errors. Modern operating systems provide effective mechanisms for
identification, authentication, and authorization and make those mechanisms available to
applications. Use only standardized, currently accepted, and extensively reviewed encryption
algorithms. Operating systems also provide mechanisms to create and maintain secure audit
logs.
Establish and maintain a data management process. In the process, address data sensitivity,
data owner, handling of data, data retention limits, and disposal requirements, based on
sensitivity and retention standards for the enterprise. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process.
Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum,
with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control
lists, also known as access permissions, to local and remote file systems, databases, and
applications.
Retain data according to the enterprise’s data management process. Data retention must
include both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the
disposal process and method are commensurate with the data sensitivity.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may
use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to
those labels. Review and update the classification scheme annually, or when significant
Document data flows. Data flow documentation includes service provider data flows and should
be based on the enterprise’s data management process. Review and update documentation
Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security
(TLS) and Open Secure Shell (OpenSSH).
Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data.
Storage-layer encryption, also known as server-side encryption, meets the minimum requirement
of this Safeguard. Additional encryption methods may include application-layer encryption, also
known as client-side encryption, where access to the data storage device(s) does not permit
access to the plain-text data.
Establish and maintain a data recovery process. In the process, address the scope of data
recovery activities, recovery prioritization, and the security of backup data. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more
frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data
separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example implementations include,
version controlling backup destinations through offline, cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets
with the potential to store or process data, to include: end-user devices (including portable and
mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records
the network address (if static), hardware address, machine name, enterprise asset owner,
department for each asset, and whether the asset has been approved to connect to the network.
For mobile end-user devices, MDM type tools can support this process, where appropriate. This
inventory includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly connected to
the enterprise’s network infrastructure, even if they are not under control of the enterprise.
Review and update the inventory of all enterprise assets bi-annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise
may choose to remove the asset from the network, deny the asset from connecting remotely to
the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to
update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset
inventory weekly, or more frequently.
Encrypt data on end-user devices containing sensitive data. Example implementations can
include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Implement and manage a firewall on servers, where supported. Example implementations
include a virtual firewall, operating system firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a
default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused
file sharing service, web application module, or service function.
Configure trusted DNS servers on enterprise assets. Example implementations include:

configuring assets to use enterprise-controlled DNS servers and/or reputable externally
accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed
authentication attempts on portable end-user devices, where supported. For laptops, do not
allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10
failed authentication attempts. Example implementations include Microsoft® InTune Device Lock
and Apple® Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed
appropriate such as lost or stolen devices, or when an individual no longer supports the
enterprise.
Collect command-line audit logs. Example implementations include collecting audit logs from
PowerShell®, BASH™, and remote administrative terminals.
Deploy and maintain anti-malware software on all enterprise assets.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible, such as
Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or
Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.
Require users to authenticate to enterprise-managed VPN and authentication services prior to

accessing enterprise resources on end-user devices.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or
supported.
Manage access control for assets remotely connecting to enterprise resources. Determine
amount of access to enterprise resources based on: up-to-date anti-malware software installed,
configuration compliance with the enterprise’s secure configuration process, and ensuring the
operating system and applications are up-to-date.
Establish and maintain a security awareness program. The purpose of a security awareness
program is to educate the enterprise’s workforce on how to interact with enterprise assets and
data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and
update content annually, or when significant enterprise changes occur that could impact this
Safeguard.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting,
and tailgating.
Train workforce members on authentication best practices. Example topics include MFA,
password composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive data. This also includes training workforce members on clear screen and desk best
practices, such as locking their screen when they step away from their enterprise asset, erasing
physical and virtual whiteboards at the end of meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics
include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to
unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such
an incident.
Train workforce to understand how to verify and report out-of-date software patches or any
failures in automated processes and tools. Part of this training should include notifying IT
personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure
networks for enterprise activities. If the enterprise has remote workers, training must include
guidance to ensure that all users securely configure their home network infrastructure.
Conduct role-specific security awareness and skills training. Example implementations include
secure system administration courses for IT professionals, OWASP® Top 10 vulnerability
awareness and prevention training for web application developers, and advanced social
engineering awareness training for high-profile roles.
Establish and maintain an inventory of service providers. The inventory is to list all known
service providers, include classification(s), and designate an enterprise contact for each service
provider. Review and update the inventory annually, or when significant enterprise changes
Establish and maintain a service provider management policy. Ensure the policy addresses the
classification, inventory, assessment, monitoring, and decommissioning of service providers.
Review and update the policy annually, or when significant enterprise changes occur that could
Classify service providers. Classification consideration may include one or more characteristics,
such as data sensitivity, data volume, availability requirements, applicable regulations, inherent
risk, and mitigated risk. Update and review classifications annually, or when significant
Ensure service provider contracts include security requirements. Example requirements may
include minimum security program requirements, security incident and/or data breach
notification and response, data encryption requirements, and data disposal commitments. These
security requirements must be consistent with the enterprise’s service provider management
policy. Review service provider contracts annually to ensure contracts are not missing security
requirements.
Designate one key person, and at least one backup, who will manage the enterprise’s incident
handling process. Management personnel are responsible for the coordination and
documentation of incident response and recovery efforts and can consist of employees internal
to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor,
designate at least one person internal to the enterprise to oversee any third-party work. Review
Establish and maintain contact information for parties that need to be informed of security
incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber
insurance providers, relevant government agencies, Information Sharing and Analysis Center
(ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-
to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The
process includes reporting timeframe, personnel to report to, mechanism for reporting, and the
minimum information to be reported. Ensure the process is publicly available to all of the
workforce. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant
Assign key roles and responsibilities for incident response, including staff from legal, IT,
information security, facilities, public relations, human resources, incident responders, and
analysts, as applicable. Review annually, or when significant enterprise changes occur that
Determine which primary and secondary mechanisms will be used to communicate and report
during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind
that certain mechanisms, such as emails, can be affected during a security incident. Review
Plan and conduct routine incident response exercises and scenarios for key personnel involved
in the incident response process to prepare for responding to real-world incidents. Exercises
need to test communication channels, decision making, and workflows. Conduct testing on an
annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through
identifying lessons learned and follow-up action.
Establish and maintain a penetration testing program appropriate to the size, complexity, and
maturity of the enterprise. Penetration testing program characteristics include scope, such as
network, web application, Application Programming Interface (API), hosted services, and
physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack
types; point of contact information; remediation, such as how findings will be routed internally;
and retrospective requirements.
Segment data processing and storage based on the sensitivity of the data. Do not process
sensitive data on enterprise assets intended for lower sensitivity data.
Establish and maintain a secure configuration process for network devices. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Securely manage enterprise assets and software. Example implementations include managing
configuration through version-controlled-infrastructure-as-code and accessing administrative
interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer
Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype
Network) and HTTP, unless operationally essential.
Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for
enterprise assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has
been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit
log management process.
Standardize time synchronization. Configure at least two synchronized time sources across
enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event
source, date, username, timestamp, source addresses, destination addresses, and other useful
elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a
potential threat. Conduct reviews on a weekly, or more frequent, basis.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to
potentially malicious or unapproved websites. Example implementations include category-based
filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all
enterprise assets.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC
policy and verification, starting with implementing the Sender Policy Framework (SPF) and the
DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Ensure network infrastructure is kept up-to-date. Example implementations include running the
latest stable release of software and/or using currently supported network-as-a-service (NaaS)
offerings. Review software versions monthly, or more frequently, to verify software support.
Establish and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum.
Securely manage network infrastructure. Example implementations include version-controlled-
infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation.
Review and update documentation annually, or when significant enterprise changes occur that
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected
Access 2 (WPA2) Enterprise or greater).
Centralize security event alerting across enterprise assets for log correlation and analysis. Best
practice implementation requires the use of a SIEM, which includes vendor-defined event
correlation alerts. A log analytics platform configured with security-relevant correlation alerts also
satisfies this Safeguard.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example
implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent
cloud service provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.

Collect network traffic flow logs and/or network traffic to review and alert upon from network
devices.
Perform periodic external penetration tests based on program requirements, no less than
annually. External penetration testing must include enterprise and environmental
reconnaissance to detect exploitable information. Penetration testing requires specialized skills
and experience and must be conducted through a qualified party. The testing may be clear box
or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and
prioritization.
Configure automatic session locking on enterprise assets after a defined period of inactivity. For
general purpose operating systems, the period must not exceed 15 minutes. For mobile end-
user devices, the period must not exceed 2 minutes.
Manage default accounts on enterprise assets and software, such as root, administrator, and
other pre-configured vendor accounts. Example implementations can include: disabling default
accounts or making them unusable.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory
must include both user and administrator accounts. The inventory, at a minimum, should contain
the person’s name, username, start/stop dates, and department. Validate that all active
accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes, at a
minimum, an 8-character password for accounts using MFA and a 14-character password for
accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets.

Conduct general computing activities, such as internet browsing, email, and productivity suite
use, from the user’s primary, non-privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must
contain department owner, review date, and purpose. Perform service account reviews to
validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly,
or more frequently.
Centralize account management through a directory or identity service.
Establish and follow a process, preferably automated, for granting access to enterprise assets
upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets,
through disabling accounts immediately upon termination, rights revocation, or role change of a
user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit
trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where
supported. Enforcing MFA through a directory service or SSO provider is a satisfactory
implementation of this Safeguard.
Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise assets,
whether managed on-site or through a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems,
including those hosted on-site or at a remote service provider. Review and update the inventory,
at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider,
where supported.
Risk Treatment
Risk Treatment
Our Planned Implementation Safeguard Maturity
Score
Permit script scripting tools and compilers on only protected systems

5
administrator computers.
Permit script engines on only systems administrator computers. 5

Adopt SCAP policies for all devices. Create deployment images for each
device and deploy systems using only those images.
Add SCAP policies to the vulnerability scanning application and scan

4
systems before putting them into production.
Update the SCAP policies quarterly and include all approved changes to the
updated policies.
Operate a weekly vulnerability review meeting that checks to see if all

medium and high vulnerabilities are resolved. Include CIS RAM risk
4
assessment criteria in the meeting to identify reasonable alternatives for
vulnerabilities that are difficult to remediate.
Operate a weekly vulnerability review meeting that checks to see if all

Medium and high vulnerabilities are resolved. Include CIS RAM risk
5
assessment criteria in the meeting to identify reasonable alternatives for
vulnerabilities that are difficult to remediate.
Risk Treatment
Safeguard Impact to
Safeguard Expectancy Safeguard Impact to Safeguard Impact to
Operational
Score Mission Financial Objectives
Objectives
1 4 2 4
4 2 4
4 2 4
4 2 4
1 4 2 4
4 2 4
4 2 4
4 2 4
2 4 2 4
2 4 2 4
1 4 2 4
Risk Treatment
Risk Treatment Reasonable and Risk Treatment
Safeguard Impact to
Safeguard Risk Score Acceptable Safeguard Cost
Obligations
5 5 Yes $ -
5 No
5 Yes
5 No
5 5 Yes $ -
5 Yes
5 No
5 Yes
5 10 No $ 501,000
5 10 No
5 5 Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Yes
Yes
Yes
Yes
Yes
No
Yes
No
Yes
Yes
Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Yes
No
Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Yes
No
No
No
Yes
Yes
No
No
No
No
No
No
No
Impact to
Implementation Reasonabl
Implementation Year Financial Year
Quarter e?
Objectives
Q2 2022 $ - 2021 Yes
$ 501,000.00 2022 No
$ - 2023 Yes
$ - 2024 Yes
Q2 2022 $ - 2025 Yes
$ - 2026 Yes
$ - 2027 Yes
$ - 2028 Yes
Q2 2022 $ - 2029 Yes
$ - 2030 Yes
CIS-Hosted CSAT
Policy Defined Control Implemented
Maturity Scores
1 No Policy Not Implemented
2 Informal Policy Parts of Policy Implemented
3 Partially Written Policy Implemented on Some Systems
4 Written Policy Implemented on Most Systems
5 Approved Written Policy Implemented on All Systems
Unknown - Unscored None None
Unknown - N/A Not Applicable Not Applicable
CIS-Hosted CSAT for

CIS Controls v7.1
v7.1 Safeguard # Policy Defined Control Implemented
1.1 Approved Written Policy Implemented on Most Systems

1.3 Partially Written Policy Implemented on Some Systems
1.4 Approved Written Policy Implemented on All Systems
1.6 Informal Policy Parts of Policy Implemented
2.2 Partially Written Policy Implemented on All Systems
2.4 Approved Written Policy Implemented on Some Systems
3.1 Partially Written Policy Implemented on Most Systems
3.3 No Policy Not Implemented
3.7 Written Policy Implemented on Most Systems
4.2 Written Policy Implemented on All Systems
4.5 None None
4.6 None None
4.7 None None
4.8 None None

4.9 None None
5.4 None None
5.5 None None

6.3 None None
6.4 None None
6.5 None None
6.6 None None
6.7 None None
7.1 None None

7.3 None None
7.4 None None

7.5
7.6
7.7
7.8
7.9
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
9.1
9.2
9.3
9.4
10.1
10.2
10.3
10.4
10.5
11.1
11.2
11.3
11.4
11.5
11.6
11.7
12.1
12.2
12.3
12.4
12.5
12.6
12.8
12.11
13.1
13.2
13.4
13.6
13.7
14.1
14.2
14.3
14.4
14.6
15.1
15.2
15.3
15.6
15.7
15.9
15.10
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
18.6
18.7
18.8
18.9
18.10
18.11
19.1
19.2
19.3
19.4
19.5
19.6
19.7
20.1
20.2
20.4
20.5
20.6
20.8
CIS-Hosted CSAT
Maturity Scores
Not Automated Not Reported 1
Parts of Policy Automated Parts of Policy Reported 2
Automated on Some Systems Reported on Some Systems 3
Automated on Most Systems Reported on Most Systems 4
Automated on All Systems Reported on All Systems 5
Unknown -
None None
Unscored
Not Applicable Not Applicable Unknown - N/A
d CSAT Values From XLSX Export Calculated Numerical Score
Automated on All Systems Reported on Some Systems 5 4

Automated on Some Systems Reported on Most Systems 3 3
Automated on All Systems Reported on All Systems 5 5
Automated on Most Systems Reported on All Systems 3 3
Parts of Policy Automated Reported on Some Systems 2 2
Automated on Some Systems Reported on Some Systems 3 3
Automated on All Systems Reported on Most Systems 3 4
Automated on Most Systems Reported on Most Systems 3 4
Parts of Policy Automated Not Reported 1 1
Not Automated Not Reported 1 1
None None Unknown - Unscored Unknown - Unscored



Automated on All Systems Not Applicable 5 5

#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
CIS-Hosted CSA
All data on this page is considered sample data only, and n

any one individual organization's CSAT/RAM scoring. On
demonstration purposes.
ulated Numerical Score

CIS RAM Maturity Score CIS RAM Maturity Score
Average Final
5 3 4 4
3 4 3 3
5 5 5 5
4 5 4 4
2 3 2 2
3 4 3 3
3 3 3 3
3 4 4 4
5 5 5 5
4 5 4 4
4 5 5 5
5 4 4 4
4 4 4 4
2 1 1 1
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unscored
Unknown -
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
5 Unknown - N/A 5 5
Unknown -
Unscored
Unknown -
Unscored
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
sted CSAT
ata only, and not meant to reflect

AM scoring. Only to be used for
poses.
CIS-Hosted CSAT for CIS

Controls v8.0
v8 Safeguard # Policy Defined Control Implemented

2.1 Informal Policy Parts of Policy Implemented
2.4 Partially Written Policy Implemented on All Systems
2.6 Approved Written Policy Implemented on Some Systems
4.1 None None
4.2 None None
4.3 None None
4.4 None None

4.5 None None
4.9 None None
4.10 None None

5.2 None None
5.3 None None
5.4 None None
5.5 None None
5.6 None None
6.1 None None

6.3 None None
6.4 None None

8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
9.1
9.2
9.3
9.4
9.5
9.6
10.1
10.2
10.3
10.4
10.5
10.6
10.7
11.1
11.2
11.3
11.4
11.5
12.1
12.2
12.3
12.4
12.5
12.6
12.7
13.1
13.2
13.3
13.4
13.5
13.6
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
18.1
18.2
18.3
CSAT Values From XLSX Export Calculated Numerical Score

Parts of Policy Automated Reported on Some Systems 2 2
Automated on Some Systems Reported on Some Systems 3 3
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Automated on All Systems Not Applicable 5 5
Unknown -
Unscored
Unknown -
Unscored
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
lculated Numerical Score
CIS RAM Maturity CIS RAM Maturity
Score Average Score Final
5 3 4 4
3 4 3 3
5 5 5 5
4 5 4 4
2 3 2 2
3 4 3 3
3 3 3 3
3 4 4 4
5 5 5 5
4 5 4 4
4 5 5 5
5 4 4 4
4 4 4 4
2 1 1 1
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unscored
Unknown -
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
Unknown -
Unscored
5 Unknown - N/A 5 5
Unknown -
Unscored
Unknown -
Unscored
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
4 5 4 4
4 5 5 5
5 5 5 5
2 1 1 1
1 1 1 1
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
CIS CSAT Pro

v7.1 Safeguard #
1.1 5 (81-100%) 5 5
1.3 3 (41-60%) 3 3
1.4 4 (61-80%) 4 4
1.5 3 (41-60%) 3 3
1.6 2 (21-40%) 2 2
1.7 4 (61-80%) 4 4
2.1 4 (61-80%) 4 4
2.2 2 (21-40%) 2 2
2.3 2 (21-40%) 2 2
2.4 5 (81-100%) 5 5
2.6 2 (21-40%) 2 2
3.1
3.2 Not Applicable N N
3.3
3.4 Not Available N N
3.5
3.6
3.7
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
5.1
5.2
5.30
5.4
5.5
6.1
6.2
6.3 5 (81-100%) 5 5
6.4
6.5
6.6
6.7
7.1 5 (81-100%) 5 5
7.2
7.3 3 (41-60%) 3 3
7.4
7.5
7.6
7.7
7.8
7.9
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
9.1
9.2
9.3
9.4
10.1
10.2
10.3
10.4
10.5
11.1
11.2
11.3
11.4
11.5
11.6
11.7
12.1
12.2
12.3
12.4
12.5
12.6
12.8
12.11
13.1
13.2
13.4
13.6
13.7
14.1
14.2
14.3
14.4
14.6
15.1
15.2
15.3
15.6
15.7
15.9
15.10
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
18.6
18.7
18.8
18.9
18.10
18.11
19.1
19.2
19.3
19.4
19.5
19.6
19.7
20.1
20.2
20.4
20.5
20.6
20.8
SAT Pro

v8 Safeguard #
1.1 5 (81-100%) 5 5
1.2 3 (41-60%) 3 3
1.3 4 (61-80%) 4 4
1.4 3 (41-60%) 3 3
2.1 2 (21-40%) 2 2
2.2 4 (61-80%) 4 4
2.3 4 (61-80%) 4 4
2.4 2 (21-40%) 2 2
2.5 2 (21-40%) 2 2
2.6 5 (81-100%) 5 5
3.1 2 (21-40%) 2 2
3.2
3.3 Not Applicable N N
3.4
3.5 Not Available N N
3.6
3.7
3.8
3.9
3.10
3.11
3.12
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
5.1
5.2 5 (81-100%) 5 5
5.3
5.4
5.5
5.6
6.1 5 (81-100%) 5 5
6.2
6.3 3 (41-60%) 3 3
6.4 3 (41-60%) 3 3
6.5 2 (21-40%) 2 2
6.6 4 (61-80%) 4 4
6.7 4 (61-80%) 4 4
7.1 2 (21-40%) 2 2
7.2 2 (21-40%) 2 2
7.3 5 (81-100%) 5 5
7.4 4 (61-80%) 4 4
7.5 2 (21-40%) 2 2
7.6 2 (21-40%) 2 2
7.7 5 (81-100%) 5 5
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
9.1
9.2
9.3
9.4
9.5
9.6
10.1
10.2
10.3
10.4
10.5
10.6
10.7
11.1
11.2
11.3
11.4
11.5
12.1
12.2
12.3
12.4
12.5
12.6
12.7
13.1
13.2
13.3
13.4
13.5
13.6
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
18.1
18.2
18.3
All data on this page is considered sample data only, and n
any one individual organization's CSAT/RAM scoring. On
demonstration purposes.
ta only, and not meant to reflect
M scoring. Only to be used for
oses.

CIS RAM v2.1 For IG2 Workbook 23.03

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS RAM v2.1 For IG2 Workbook 23.03

Uploaded by

Copyright:

Available Formats

CIS RAM v2.

dify values, such as Risk Acceptance

CIS CSAT (Controls Self Assessment Tool)

Impact Magnitude Prompt

What observable evidence would you have that your mission

Operational What business or organizational goals does the enterprise

Impact Magnitude Prompt

What observable evidence would you have that your operational

Impact Magnitude Prompt

What observable evidence would you have that your financial

What harm may foreseeably come to others as a result of a

Impact Magnitude Prompt

Describe a condition where others would not be harmed to a

Describe a condition where one or few others would be harmed

This mission would not be achieved, and would require short-

This mission would not be achieved. If significant, unplanned

The mission would not be achievable.

Growth plan would be intact.

Growth plan would be off target, but within variance.

Growth plan would be out of variance, but can be recovered

Growth plan would be out of variance, and may require multiple

Correctible harm may occur to one or few others.

Correctible harm may occur to many others, or harm that can be

4 Risk Acceptance Criteria

We would start to invest against risks to prevent

Mission Operational Objectives

The mission would remain intact. Growth plan would be intact.

This mission would not be perfectly achieved,

This mission would not be achieved, and would

The mission would not be achievable. We would not be able to grow.

Acceptable Risk is less than … 0

Mission Impact Operational Objectives Impact

No harm could foreseeably result.

Correctible harm may occur to one or

Correctible harm may occur to many

We would not be able to protect others

provide for the assets below.

Financial Objectives Impact Obligations Impact

Risk Register Risk Analysis

Asset Class Asset Name CIS Safeguard #

Maintain Inventory of Authorized

Ensure Software is Supported by

Utilize Software Inventory Tools x Identify

Track Software Inventory Information x Identify

Address unapproved software x x Respond

Run Automated Vulnerability

Perform Authenticated Vulnerability

Deploy Automated Operating System

Deploy Automated Software Patch

Compare Back-to-Back Vulnerability

Establish Secure Configurations x x Protect

Maintain Secure Images x Protect

Deploy System Configuration

Implement Automated Configuration

Ensure Use of Only Fully Supported

Limit Use of Scripting Languages in

Ensure Regular Automated BackUps x x Protect

Perform Complete System Backups x x Protect

Test Data on Backup Media x Protect

Protect Backups x x Protect

Ensure All Backups Have at Least

Maintain an Inventory of Sensitive

Remove Sensitive Data or Systems