Professional Documents
Culture Documents
1 for IG1
The CIS RAM for IG1 Workbook protects most cells in the Risk Register and lookup
tables to prevent users from accidentally changing the formulas and lookups that
automate the risk analysis and make it simple.
If users are confident in their use of Microsoft® Excel and wish to modify values, such
as Risk Acceptance Criteria, they may “unprotect” the document by going to the
“Review” tab in the Excel menu and selecting the “Unprotect sheet” button. However,
guidance for maintenance of the Workbook, formulas, lookups, and protected cells is
beyond the scope of this document.
Register and lookup
and lookups that
https://www.cisecurity.org/controls/v8/
This is a free tool with a dynamic list of the CIS Safeguards that can be filtered by Implementation Groups and mappings to multiple
frameworks.
https://www.cisecurity.org/controls/v8
Join our Community where you can discuss the CIS Controls with our global army of experts and volunteers!
https://workbench.cisecurity.org/dashboard
Overview: The CIS Controls® Self Assessment Tool, also known as CIS CSAT, enables organizations to assess and track their
implementation of the CIS Controls for Versions 8 and 7.1. The CIS Controls are a prioritized set of consensus-developed security best
practices used by organizations around the world to defend against cyber threats.
TWO TYPES:
CIS-Hosted CSAT: The CIS-hosted version of CIS CSAT is free to every organization for use in a non-commercial capacity to conduct
CIS Controls assessments of their organization. (released January 2019)
https://csat.cisecurity.org/
CIS CSAT Pro: The on-premises version of CIS CSAT is available exclusively for CIS SecureSuite Members. This version offers
additional features and benefits: Save time by using a simplified scoring method with a reduced number of questions, Decide whether to
opt in to share data and see how scores compare to industry average, Greater flexibility with organization trees for tracking
organizations, sub-organizations, and assessments, Assign users to different roles for different organizations/sub-organizations as well
as greater separation of administrative and non-administrative roles, Track multiple concurrent assessments in the same organization,
Easily access your tasks, assessments, and organizations from a consolidated home page, Includes CIS Controls Safeguard mappings
to NIST CSF, NIST SP 800-53, and PCI. (released August 2020)
https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat/
Enterprise Name
Enterprise Risk
Scope
Assessment Criteria
Last Completed (Date)
Impact Criteria
Definition
Operational Objectives
Asset Class Mission Impact
Impact
Enterprise
Devices
Applications
Data
Network
Users
Risk Register
NIST CSF Security
CIS Safeguard # CIS Safeguard Title
Function
Address Unauthorized
1.6 Respond
Assets
Maintain Inventory of
2.1 Identify
Authorized Software
Ensure Software is
2.2 Identify
Supported by Vendor
Address Unapproved
2.6 Respond
Software
Deploy Automated
3.4 Operating System Patch Protect
Management Tools
Deploy Automated
3.5 Software Patch Protect
Management Tools
Change Default
4.2 Protect
Passwords
Establish Secure
5.1 Protect
Configurations
Configure Anti-Malware
8.4 Scanning of Removable Detect
Devices
Apply Host-Based
9.4 Protect
Firewalls or Port-Filtering
Ensure Regular
10.1 Protect
Automated BackUps
Perform Complete
10.2 Protect
System Backups
Maintain an Inventory of
12.1 Identify
Network Boundaries
Deny Communication
12.4 Protect
Over Unauthorized Ports
Maintain an Inventory of
13.1 Identify
Sensitive Information
Disable Any
16.8 Respond
Unassociated Accounts
Disable Dormant
16.9 Respond
Accounts
Lock Workstation
16.11 Protect
Sessions After Inactivity
Implement a Security
17.3 N/A
Awareness Program
Train Workforce on
17.5 N/A
Secure Authentication
Train Workforce on
17.6 Identifying Social N/A
Engineering Attacks
Train Workforce on
17.7 N/A
Sensitive Data Handling
Train Workforce on
17.8 Causes of Unintentional N/A
Data Exposure
Train Workforce
17.9 Members on Identifying N/A
and Reporting Incidents
Document Incident
19.1 N/A
Response Procedures
Designate Management
19.3 Personnel to Support N/A
Incident Handling
Maintain Contact
Information For
19.5 N/A
Reporting Security
Incidents
Publish Information
Regarding Reporting
19.6 N/A
Computer Anomalies
and Incidents
Financial Objectives Obligations
Obligations Impact
Risk Analysis
Impact to
Safeguard Maturity Expectancy Impact to
Asset Class VCDB Index Operational
Score Score Mission
Objectives
Devices 1 0 0
Devices 1 0 0
Applications 2 0 0
Applications 2 0 0
Applications 2 0 0
Devices 1 0 0
Devices 1 0 0
Users 3 0 0
Users 3 0 0
Devices 1 0 0
Devices 1 0 0
Devices 1 0 0
Devices 1 0 0
Devices 1 0 0
Devices 1 0 0
Devices 1 0 0
Network 1 0 0
Data 3 0 0
Data 3 0 0
Data 3 0 0
Data 3 0 0
Network 1 0 0
Network 1 0 0
Network 1 0 0
Data 3 0 0
Data 3 0 0
Devices 1 0 0
Data 3 0 0
Network 1 0 0
Network 1 0 0
Users 3 0 0
Users 3 0 0
Devices 1 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Risk Register
Impact to
Risk Score Risk Level Risk Treatment Option Risk Treatment Safeguard
Obligations
0 1.4
0 1.6
0 2.1
0 2.2
0 2.6
0 3.4
0 3.5
0 4.2
0 4.3
0 5.1
0 6.2
0 7.1
0 7.7
0 8.2
0 8.4
0 8.5
0 9.4
0 10.1
0 10.2
0 10.4
0 10.5
0 11.4
0 12.1
0 12.4
0 13.1
0 13.2
0 13.6
0 14.6
0 15.7
0 15.10
0 16.8
0 16.9
0 16.11
0 17.3
0 17.5
0 17.6
0 17.7
0 17.8
0 17.9
0 19.1
0 19.3
0 19.5
0 19.6
R
Risk Treatment Risk Treatment
Safeguard Title Safeguard Description
Maintain documented,
standard security
Establish Secure Configurations configuration standards for
all authorized operating
systems and software.
Maintain an up-to-date
inventory of all of the
Maintain an Inventory of Network Boundaries
organization's network
boundaries.
Create a security
awareness program for all
workforce members to
complete on a regular
basis to ensure they
understand and exhibit the
necessary behaviors and
Implement a Security Awareness Program skills to help ensure the
security of the
organization. The
organization's security
awareness program should
be communicated in a
continuous and engaging
manner.
Designate management
personnel, as well as
backups, who will support
Designate Management Personnel to Support Incident Handling
the incident handling
process by acting in key
decision-making roles.
0
0
0
0
0
0
0
0
0
0
0
0
Risk Treatment
Risk Treatment Risk Treatment
Safeguard Impact Reasonable and Risk Treatment
Safeguard Impact Safeguard Risk
to Operational Acceptable Safeguard Cost
to Obligations Score
Objectives
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
Reasonable Annual Cost
Impact to
Implementation Implementatio Reasonabl
Financial Year
Quarter n Year e?
Objectives
$ - 2021 Yes
$ - 2022 Yes
$ - 2023 Yes
$ - 2024 Yes
$ - 2025 Yes
$ - 2026 Yes
$ - 2027 Yes
$ - 2028 Yes
$ - 2029 Yes
$ - 2030 Yes
Enterprise Name
Enterprise Risk
Scope
Assessment Criteria
Last Completed (Date)
Impact Criteria
Definition
Operational Objectives
Asset Class Mission Impact
Impact
Enterprise
Devices
Applications
Data
Network
Users
Risk Register
NIST CSF Security
CIS Safeguard # CIS Safeguard Title
Function
Address Unauthorized
1.2 Respond
Assets
Ensure Authorized
2.2 Software is Currently Identify
Supported
Address Unauthorized
2.3 Respond
Software
Securely Manage
4.6 Enterprise Assets and Protect
Software
Manage Default
4.7 Accounts on Enterprise Protect
Assets and Software
Disable Dormant
5.3 Respond
Accounts
Restrict Administrator
5.4 Privileges to Dedicated Protect
Administrator Accounts
Establish an Access
6.1 Protect
Granting Process
Establish an Access
6.2 Protect
Revoking Process
Perform Automated
11.2 Recover
Backups
11.3 Protect Recovery Data Protect
Train Workforce
Members to Recognize
14.2 Protect
Social Engineering
Attacks
Train Workforce
Members on
14.3 Protect
Authentication Best
Practices
Train Workforce on Data
14.4 Protect
Handling Best Practices
Train Workforce
Members on Causes of
14.5 Protect
Unintentional Data
Exposure
Train Workforce
Members on
14.6 Recognizing and Protect
Reporting Security
Incidents
Designate Personnel to
17.1 Manage Incident Respond
Handling
Obligations Impact
Risk Analysis
Impact to
Safeguard Maturity Expectancy Impact to
Asset Class VCDB Index Operational
Score Score Mission
Objectives
Devices 1 0 0
Devices 1 0 0
Applications 2 0 0
Applications 2 0 0
Applications 2 0 0
Data 3 0 0
Data 3 0 0
Data 3 0 0
Data 3 0 0
Data 3 0 0
Devices 1 0 0
Applications 2 0 0
Network 1 0 0
Users 3 0 0
Devices 1 0 0
Devices 1 0 0
Network 1 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Users 3 0 0
Applications 2 0 0
Applications 2 0 0
Applications 2 0 0
Applications 2 0 0
Network 1 0 0
Network 1 0 0
Network 1 0 0
Applications 2 0 0
Network 1 0 0
Devices 1 0 0
Devices 1 0 0
Devices 1 0 0
Data 3 0 0
Data 3 0 0
Data 3 0 0
Data 3 0 0
Network 1 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Enterprise 3 0 0
Risk Register
Impact to
Risk Score Risk Level Risk Treatment Option Risk Treatment Safeguard
Obligations
0 1.1
0 1.2
0 2.1
0 2.2
0 2.3
0 3.1
0 3.2
0 3.3
0 3.4
0 3.5
0 3.6
0 4.1
0 4.2
0 4.3
0 4.4
0 4.5
0 4.6
0 4.7
0 5.1
0 5.2
0 5.3
0 5.4
0 6.1
0 6.2
0 6.3
0 6.4
0 6.5
0 7.1
0 7.2
0 7.3
0 7.4
0 8.1
0 8.2
0 8.3
0 9.1
0 9.2
0 10.1
0 10.2
0 10.3
0 11.1
0 11.2
0 11.3
0 11.4
0 12.1
0 14.1
0 14.2
0 14.3
0 14.4
0 14.5
0 14.6
0 14.7
0 14.8
0 15.1
0 17.1
0 17.2
0 17.3
Risk Treatment
Safeguard Title
Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security
Updates
Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over
Insecure Networks
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential
to store or process data, to include: end-user devices (including portable and mobile), network devices, non-
computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and whether the asset has been
approved to connect to the network. For mobile end-user devices, MDM type tools can support this process,
where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely,
and those within cloud environments. Additionally, it includes assets that are regularly connected to the
enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the
inventory of all enterprise assets bi-annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to
remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the
asset.
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software
inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where
appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism,
and decommission date. Review and update the software inventory bi-annually, or more frequently.
Ensure that only currently supported software is designated as authorized in the software inventory for
enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission,
document an exception detailing mitigating controls and residual risk acceptance. For any unsupported
software without an exception documentation, designate as unauthorized. Review the software list to verify
software support at least monthly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented
exception. Review monthly, or more frequently.
Establish and maintain a data management process. In the process, address data sensitivity, data owner,
handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards
for the enterprise. Review and update documentation annually, or when significant enterprise changes occur
that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory
sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive
data.
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known
as access permissions, to local and remote file systems, databases, and applications.
Retain data according to the enterprise’s data management process. Data retention must include both minimum
and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal
process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows
BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain a secure configuration process for enterprise assets (end-user devices, including
portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and
applications). Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general
purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period
must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example implementations include a virtual
firewall, operating system firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule
that drops all traffic except those services and ports that are explicitly allowed.
Securely manage enterprise assets and software. Example implementations include managing configuration
through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network
protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-
configured vendor accounts. Example implementations can include: disabling default accounts or making them
unusable.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both
user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username,
start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-
character password for accounts using MFA and a 14-character password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general
computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-
privileged account.
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire,
rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through
disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling
accounts, instead of deleting accounts, may be necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported.
Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether
managed on-site or through a third-party provider.
Establish and maintain a documented vulnerability management process for enterprise assets. Review and
update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly,
or more frequent, reviews.
Perform operating system updates on enterprise assets through automated patch management on a monthly,
or more frequent, basis.
Perform application updates on enterprise assets through automated patch management on a monthly, or more
frequent, basis.
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At
a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled
across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log
management process.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the
latest version of browsers and email clients provided through the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities,
recovery prioritization, and the security of backup data. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on
the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation,
based on requirements.
Establish and maintain an isolated instance of recovery data. Example implementations include, version
controlling backup destinations through offline, cloud, or off-site systems or services.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable
release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software
versions monthly, or more frequently, to verify software support.
Establish and maintain a security awareness program. The purpose of a security awareness program is to
educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner.
Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant
enterprise changes occur that could impact this Safeguard.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Train workforce members on authentication best practices. Example topics include MFA, password
composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data.
This also includes training workforce members on clear screen and desk best practices, such as locking their
screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of
meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-
delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an incident.
Train workforce to understand how to verify and report out-of-date software patches or any failures in
automated processes and tools. Part of this training should include notifying IT personnel of any failures in
automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for
enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all
users securely configure their home network infrastructure.
Establish and maintain an inventory of service providers. The inventory is to list all known service providers,
include classification(s), and designate an enterprise contact for each service provider. Review and update the
inventory annually, or when significant enterprise changes occur that could impact this Safeguard.
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling
process. Management personnel are responsible for the coordination and documentation of incident response
and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid
approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any
third-party work. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts
may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant
government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify
contacts annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The process
includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to
be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
nt
Risk Treatment Risk Treatment Risk Treatment
Our Planned
Safeguard Maturity Safeguard Expectancy Safeguard Impact
Implementation
Score Score to Mission
0
0
0
0
0
0
0
Risk Treatment
Risk Treatment Risk Treatment
Safeguard Impact Reasonable and Risk Treatment
Safeguard Impact Safeguard Risk
to Operational Acceptable Safeguard Cost
to Obligations Score
Objectives
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
Reasonable Annual Cost
Impact to
Implementation Implementatio Reasonabl
Financial Year
Quarter n Year e?
Objectives
$ - 2021 Yes
$ - 2022 Yes
$ - 2023 Yes
$ - 2024 Yes
$ - 2025 Yes
$ - 2026 Yes
$ - 2027 Yes
$ - 2028 Yes
$ - 2029 Yes
$ - 2030 Yes
Color
Color Key
Title
CIS Safeguard #
CIS Safeguard Title
NIST CSF Security Function
Asset Class
Safeguard Maturity Score
VCDB Index
Risk Analysis
Expectancy Score
Impact to Mission
Impact to Operational Objectives
Impact to Obligations
Risk Score
Risk Level
Risk Treatment Option
Risk Treatment Safeguard
For optional user input. Risk assessors may add values into these columns if it's useful to
them.
Automated or fixed values on the Reasonable Annual Cost side of the Risk Register. While the
worksheet is in protected mode, these values cannot be changed.
Meaning
The unique CIS Safeguard identifier, as published in the CIS Controls.
The title of the CIS Safeguard, as published in the CIS Controls.
Mapping between the NIST CSF Security Functions and CIS Safeguards, as published in the
CIS Controls.
The asset class, as published in the CIS Controls.
A score of '1' through '5' designating the reliability of a Safeguard's effectiveness against
threats.
An automatically calculated value to represent how common the related threat is as a cause for
reported cybersecurity incidents.
An automatically calculated value to represent how commonly the related threat would be the
cause of a cybersecurity incident, given your current Safeguard.
The magnitude of harm that a successful threat would cause to your Mission.
The magnitude of harm that a successful threat would cause to your Operational Objectives.
The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Expectancy and the highest of the three Impacts.
An evaluation of the risk as acceptable, unacceptable, or catastrophic.
A statement about whether the enterprise will accept or reduce the risk.
The unique CIS Safeguard identifier, as published in the CIS Controls.
A brief description of how the Safeguard will be implemented and operated in the enterprise.
A score of '1' through '5' designating the planned reliability of a Safeguard's effectiveness
against threats.
An automatically calculated value to represent how commonly the related threat would be the
cause of a cybersecurity incident, given the planned Safeguard.
The magnitude of harm that a successful threat would cause to your Mission.
The magnitude of harm that a successful threat would cause to your Operational Objectives.
The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Expectancy and the highest of the three impacts, given the planned
Safeguard.
A determination of whether the planned Safeguard is reasonable and acceptable.
An estimate of how much the Safeguard is expected to cost.
When the Safeguard is planned for completion of implementation (which quarter).
When the Safeguard is planned for completion of implementation (which year).
We would not be able to achieve our We would not be able to meet our
3. Catastrophic
mission. objectives.
Risk Levels
Red Red indicates that the risk is “urgent.”
Yellow indicates that the risk is
Yellow
“unacceptably high, but not urgent.”
Green indicates that the risk evaluates
Green
as “acceptable.”
Criteria
Financial Objectives Obligations
The high dollar limit for each impact
Required
score.
Optional No harm would come to others.
The harm that would come to others
Optional
would be correctable.
Obligations Impact
Required
Optional
Optional
Optional
Optional
Optional
Maturity Scores
Maturity Scores
1
2
3
4
5
Expectancy Criteria
Expectancy Scores
1
2
3
VCDB Index
Incident Count
Asset Class
Enterprise
Applications
Data
Devices
Network
Users
Unknown
Definition
Safeguard is not implemented or is inconsistently implemented.
Safeguard is implemented fully on some assets or partially on all assets.
Safeguard is implemented on all assets.
Safeguard is tested and inconsistencies are corrected.
Safeguard has mechanisms that ensure consistent implementation over time.
Used for "Expectancy Score" and "Risk Treatment Safeguard Expectancy Score"
Expectancy Definition
The risk is not expected in this environment.
This risk should be expected to cause a security incident at some time.
We should expect this to happen soon, if it has not already occurred.
8893
Sum of Threat Count / Industry
4458
1253
4458
798
62
4458
863
Used to calculate "Expectancy Score" and "Risk Treatment Safeguard Expectancy Score"
Maturity
5
5
5
5
5
4
4
4
4
4
3
3
3
3
3
2
2
2
2
2
1
1
1
1
1
As of 7/29/2021
Percentage Index
50% 3
14% 2
50% 3
9% 1
1% 1
50% 3
10% 1
2.6
3.4
3.5
4.2
4.3
5.1
6.2
7.1
7.7
8.2
8.4
8.5
9.4
10.1
10.2
10.4
10.5
11.4
12.1
12.4
13.1
13.2
13.6
14.6
15.7
15.10
16.8
16.9
16.11
17.3
17.5
17.6
17.7
17.8
17.9
19.1
19.3
19.5
19.6
SAT Pro
CIS CSAT Pro for CIS Controls v8.0
2.3
3.1
3.2
3.3
3.4
3.5
3.6
4.1
4.2
4.3
4.4
4.5
4.6
4.7
5.1
5.2
5.3
5.4
6.1
6.2
6.3
6.4
6.5
7.1
7.2
7.3
7.4
8.1
8.2
8.3
9.1
9.2
10.1
10.2
10.3
11.1
11.2
11.3
11.4
12.1
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
15.1
17.1
17.2
17.3
Instructions for Importing CIS CSAT Pro Scores
into CIS RAM
1) In CIS CSAT Pro, filter on IG1 and Export Filtered CSV.
a. Go to the Assessment Summary page for the assessment of interest (this is reachable from the
Assessment Summary tab at the top of the Assessment Dashboard for that assessment).
b. Click the Filter button.
c. Select "IG-1" for the Implementation Group filter and click Search.
d. Click the "Export Filtered CSV" button to export the report.
2) Copy your scores from the exported CSAT Pro CSV file to the CIS RAM for IG1 Workbook.
a. In the CSAT Pro CSV file, copy the contents of column E (labeled “Sub-Control Score”) excluding
the heading row.
b. Go to the “CIS CSAT Pro” tab in the CIS RAM for IG1 Workbook.
c. Find the appropriate section in the “CIS CSAT Pro” tab based on which CIS Controls version you
are using (either CSAT Pro for CIS Controls v7.1 or CSAT Pro for CIS Controls v8.0).
d. Paste the copied data into the appropriate section of the “CIS CSAT Pro” tab.
e. For instance, if you are using Controls v7.1, you might copy cells E2 to E44 from the CSAT Pro
CSV to C5 to C47 in the “CIS CSAT Pro” tab of the CIS RAM for IG1 Workbook.
3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, copy the scores in the “CIS RAM Maturity Score Final” column into the
"Safeguard Maturity Score" column of the appropriate CIS RAM tab – “Risk Register 7.1 for IG1” for v7.1 of
the CIS Controls or “Risk Register 8 for IG1” for v8 of the CIS Controls.
a. Right-click to copy and "Paste Special" as "Values" (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT”
tabs, if present. If copied, these values can be deleted from the “Safeguard Maturity Score” cell and
will not affect the functionality of the CIS RAM Risk Register.
Note: Please ensure that your enterprise's method for scoring Safeguards in CSAT Pro
aligns closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.
Maturity Scores
2
3
4
5
lease ensure that your enterprise's method for scoring Safeguards in CSAT Pro
closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.
Definition
1.4
1.6
2.1
2.2
2.6
3.4
3.5
4.2
4.3
5.1
6.2
7.1
7.7
8.2
8.4
8.5
9.4
10.1
10.2
10.4
10.5
11.4
12.1
12.4
13.1
13.2
13.6
14.6
15.7
15.10
16.8
16.9
16.11
17.3
17.5
17.6
17.7
17.8
17.9
19.1
19.3
19.5
19.6
CIS-Hosted CSAT
Control Automated Control Reported
Maturity Scores
Unknown -
None None
Unscored
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
CIS-Hosted CSA
1.1
1.2
2.1
2.2
2.3
3.1
3.2
3.3
3.4
3.5
3.6
4.1
4.2
4.3
4.4
4.5
4.6
4.7
5.1
5.2
5.3
5.4
6.1
6.2
6.3
6.4
6.5
7.1
7.2
7.3
7.4
8.1
8.2
8.3
9.1
9.2
10.1
10.2
10.3
11.1
11.2
11.3
11.4
12.1
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
15.1
17.1
17.2
17.3
CSAT Values From XLSX Export Calculated Numerical Score
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
lculated Numerical Score
CIS RAM Maturity CIS RAM Maturity
Score Average Score Final
Control Automated Control Reported
d. Check to see if any of these Safeguards are in the blue (Not Assessed) state. You can see this
will be a colored circle in each row by the Safeguard number. Any Safeguards that have a blue circle
you have any blue Safeguards and you want to continue these steps, one way to get them out of the
b. Go to the “CIS-Hosted CSAT” tab in the CIS RAM for IG1 Workbook.
c. Find the appropriate section in the “CIS-Hosted CSAT” tab based on which CIS Controls version
CIS-Hosted CSAT for CIS Controls v7.1 or CIS-Hosted CSAT for CIS Controls v8.0).
d. Paste the copied data into the appropriate section of the “CIS-Hosted CSAT” tab.
e. For instance, if you are using Controls v7.1, you might copy the cells from E2:E44 over to H2:H4
CSAT XLSX file, select cell C14 in the “CIS-Hosted CSAT” tab in the CIS RAM for IG1 Workbook an
3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, copy the scores in the “CIS RAM Maturity Score Final” column into the “Safeguar
column of the appropriate CIS RAM tab – “Risk Register 7.1 for IG1” for v7.1 of the CIS Controls or “Risk Re
of the CIS Controls.
a. Right-click to copy and "Paste Special" as "Values" (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT
copied, these values can be deleted from the “Safeguard Maturity Score” cell and will not affect the f
RAM Risk Register.
Note: This method will average the four scoring categories in CIS-Hosted CSAT for each Safegu
those averages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, a
to ensure this method aligns closely enough for your enterprise's scoring practice
Maturity Scores
3
4
5
is method will average the four scoring categories in CIS-Hosted CSAT for each Safeguard and aligns
ages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, as defined below,
to ensure this method aligns closely enough for your enterprise's scoring practices.
Definition
Impact Criteria
To prepare each
generation to succeed to
the best of their ability; To
inspire young artists to
Maintain an operational
find their voice; To meet
Definition budget; Grow the
or exceed performance
Foundation
standards issued by the
state; To help each
This enterprise could tolerate a
student achieve their
loss up to $20,000.
potential.
obligations that each asset type could cause? To make this simple, add values
Inherent Risk Criteria ('1' through '3') for "Enterprise" only and leave the indented rows below
"Enterprise" blank. If you wish to estimate risks for each Asset Class, you must
Operational Objectives
Asset Class Mission Impact
Impact
Enterprise 2 2
Devices 2 2
Applications 2 2
Data 2 2
Network 1 2
Users 2 2
Risk Register
NIST CSF Security
CIS Safeguard # CIS Safeguard Title
Function
Address Unauthorized
1.6 Respond
Assets
Maintain Inventory of
2.1 Identify
Authorized Software
Ensure Software is
2.2 Identify
Supported by Vendor
Address Unapproved
2.6 Respond
Software
Deploy Automated
3.4 Operating System Patch Protect
Management Tools
Deploy Automated
3.5 Software Patch Protect
Management Tools
Change Default
4.2 Protect
Passwords
Establish Secure
5.1 Protect
Configurations
6.2 Activate Audit Logging Detect
Apply Host-Based
9.4 Protect
Firewalls or Port-Filtering
Ensure Regular
10.1 Protect
Automated BackUps
Deny Communication
12.4 Protect
Over Unauthorized Ports
Maintain an Inventory of
13.1 Identify
Sensitive Information
Protect Information
14.6 Through Access Control Protect
Lists
Leverage the Advanced
Encryption Standard
15.7 Protect
(AES) to Encrypt Wireless
Data
Implement a Security
17.3 N/A
Awareness Program
Train Workforce on
17.5 N/A
Secure Authentication
Train Workforce on
17.6 Identifying Social N/A
Engineering Attacks
Train Workforce on
17.7 N/A
Sensitive Data Handling
Train Workforce on
17.8 Causes of Unintentional N/A
Data Exposure
Document Incident
19.1 N/A
Response Procedures
Designate Management
19.3 Personnel to Support N/A
Incident Handling
Maintain Contact
19.5 Information For Reporting N/A
Security Incidents
Publish Information
Regarding Reporting
19.6 N/A
Computer Anomalies and
Incidents
Financial Objectives Obligations
Risk Analysis
Impact to
Safeguard Maturity Expectancy Impact to
Asset Class VCDB Index Operational
Score Score Mission
Objectives
Devices 3 1 2 2 2
Devices 3 1 2 2 2
Applications 2 2 2 2 2
Applications 4 2 1 2 2
Applications 1 2 3 2 2
Devices 4 1 1 2 2
Devices 1 1 2 2 2
Users 3 3 2 2 2
Users 4 3 2 2 2
Devices 5 1 1 2 2
Devices 2 1 2 2 2
Devices 2 1 2 2 2
Devices 1 1 2 2 2
Devices 2 1 2 2 2
Devices 4 1 1 2 2
Devices 3 1 2 2 2
Network 3 1 2 1 2
Data 3 3 2 2 2
Data 1 3 3 2 2
Data 1 3 3 2 2
Data 2 3 2 2 2
Network 4 1 1 1 2
Network 1 1 2 1 2
Network 1 1 2 1 2
Data 1 3 3 2 2
Data 1 3 3 2 2
Devices 2 1 2 2 2
Data 4 3 2 2 2
Network 3 1 2 1 2
Network 1 1 2 1 2
Users 2 3 2 2 2
Users 4 3 2 2 2
Devices 2 1 2 2 2
Users 5 3 1 2 2
Users 1 3 3 2 2
Users 2 3 2 2 2
Users 3 3 2 2 2
Users 4 3 2 2 2
Users 5 3 1 2 2
Enterprise 2 3 2 2 2
Enterprise 1 3 3 2 2
Enterprise 1 3 3 2 2
Enterprise 3 3 2 2 2
page is considered sample data only,
to reflect an individual organization's
. Only to be used for demonstration
purposes.
Risk Register
Impact to
Risk Score Risk Level Risk Treatment Option Risk Treatment Safeguard
Obligations
2 4 Reduce 1.4
2 4 Reduce 1.6
3 6 Reduce 2.1
3 3 Accept 2.2
3 9 Reduce 2.6
2 2 Accept 3.4
2 4 Reduce 3.5
3 6 Reduce 4.2
3 6 Reduce 4.3
2 2 Accept
2 4 Reduce 6.2
2 4 Reduce 7.1
2 4 Reduce 7.7
2 4 Reduce 8.2
2 2 Accept
2 4 Reduce 8.5
2 4 Reduce 9.4
3 6 Reduce 10.1
3 9 Reduce 10.2
3 9 Reduce 10.4
3 6 Reduce 10.5
2 2 Accept
2 4 Reduce 12.1
2 4 Reduce 12.4
3 9 Reduce 13.1
3 9 Reduce 13.2
2 4 Reduce 13.6
3 6 Accept
2 4 Reduce 15.7
2 4 Reduce 15.10
3 6 Reduce 16.8
3 6 Reduce 16.9
2 4 Reduce 16.11
3 3 Accept
3 9 Reduce 17.5
3 6 Reduce 17.6
3 6 Reduce 17.7
3 6 Reduce 17.8
3 3 Accept
3 6 Reduce 19.1
3 9 Reduce 19.3
3 9 Reduce 19.5
3 6 Reduce 19.6
Risk Treatment Risk Treatment
Safeguard Title Safeguard Description
Ensure Anti-Malware Software and Ensure that the organization's anti-malware software updates its
Signatures Are Updated scanning engine and signature database on a regular basis.
Configure Anti-Malware Scanning of Configure devices so that they automatically conduct an anti-
Removable Devices malware scan of removable media when inserted or connected.
Configure Devices to Not Auto-Run Configure devices to not auto-run content from removable
Content media.
Apply host-based firewalls or port filtering tools on end systems,
Apply Host-Based Firewalls or Port-
with a default-deny rule that drops all traffic except those
Filtering
services and ports that are explicitly allowed.
Ensure that all system data is automatically backed up on a
Ensure Regular Automated BackUps
regular basis.
Create Separate Wireless Network for Maintain an inventory of authorized wireless access points
Personal and Untrusted Devices connected to the wired network.
Train Workforce Members on Identifying Train employees to be able to identify the most common
and Reporting Incidents indicators of an incident and be able to report such an incident.
Ensure that there are written incident response plans that define
Document Incident Response Procedures roles of personnel as well as phases of incident
handling/management.
Designate management personnel, as well as backups, who will
Designate Management Personnel to
support the incident handling process by acting in key decision-
Support Incident Handling
making roles.
Assemble and maintain information on third-party contact
Maintain Contact Information For information to be used to report a security incident, such as Law
Reporting Security Incidents Enforcement, relevant government departments, vendors, and
ISAC partners.
Publish information for all workforce members, regarding
Publish Information Regarding Reporting reporting computer anomalies and incidents to the incident
Computer Anomalies and Incidents handling team. Such information should be included in routine
employee awareness activities.
Risk Treatment
Risk Treatment Risk Treatment Risk Treatment
Our Planned
Safeguard Maturity Safeguard Expectancy Safeguard Impact
Implementation
Score Score to Mission
at
Implement a NAC. 4 1 2
Implement a NAC. 4 1 2
Use application
4 1 2
whitelisting.
Configure end-user
systems to automatically 4 1 2
apply patches from vendor.
4 2 2
2 2 2
2 2 2
1 2 2
2 2 2
2
3 2 2
3 2 1
3 2 2
1 3 2
1 3 2
2 2 2
1 2 1
1 2 1
1 3 2
1 3 2
2 2 2
2
3 2 1
1 2 1
2 2 2
4 2 2
2 2 2
1 3 2
2 2 2
3 2 2
4 2 2
2 2 2
1 3 2
1 3 2
3 2 2
Risk Treatment
Risk Treatment Risk Treatment
Safeguard Impact Reasonable and Risk Treatment Implementati
Safeguard Impact Safeguard Risk
to Operational Acceptable Safeguard Cost on Quarter
to Obligations Score
Objectives
2 2 2 Yes Q2
2 2 2 Yes Q3
2 3 3 Yes Q4
2 3 Yes Q2
2 2 2 Yes Q4
2 3 6 No $ 5,000 Q4
2 3 6 No
2 2 Yes
2 2 4 Yes
2 2 4 Yes
2 2 4 Yes
2 2 4 Yes
2 2 Yes
2 2 4 Yes
2 2 4 Yes
2 3 6 No
2 3 9 No
2 3 9 No
2 3 6 No
2 2 Yes
2 2 4 Yes
2 2 4 Yes
2 3 9 No
2 3 9 No
2 2 4 Yes
2 3 No
2 2 4 Yes
2 2 4 Yes
2 3 6 No
2 3 6 No
2 2 4 Yes
2 3 Yes
2 3 9 No
2 3 6 No
2 3 6 No
2 3 6 No
2 3 Yes
2 3 6 No
2 3 9 No
2 3 9 No
2 3 6 No
Reasonable Annual Cost
Impact to
Implementatio
Financial Year Reasonable?
n Year
Objectives
$ - 2029 Yes
$ - 2030 Yes
CIS CSAT Pro
CIS CSAT Pro for CIS Controls v7.1
5 3 4 4
3 4 3 3
5 5 5 5
4 5 4 4
2 3 2 2
3 4 3 3
3 3 3 3
3 4 4 4
5 5 5 5
4 5 4 4
4 5 5 5
5 4 4 4
4 4 4 4
2 1 1 1
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 Unknown - N/A 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
d CSAT
5 3 4 4
3 4 3 3
5 5 5 5
4 5 4 4
2 3 2 2
3 4 3 3
3 3 3 3
3 4 4 4
5 5 5 5
4 5 4 4
4 5 5 5
5 4 4 4
4 4 4 4
2 1 1 1
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 Unknown - N/A 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
4 5 4 4
4 5 5 5
5 5 5 5
2 1 1 1
1 1 1 1