CIS RAM v2.

1 for IG1

The CIS RAM for IG1 Workbook protects most cells in the Risk Register and lookup
tables to prevent users from accidentally changing the formulas and lookups that
automate the risk analysis and make it simple.

If users are confident in their use of Microsoft® Excel and wish to modify values, such
as Risk Acceptance Criteria, they may “unprotect” the document by going to the
“Review” tab in the Excel menu and selecting the “Unprotect sheet” button. However,
guidance for maintenance of the Workbook, formulas, lookups, and protected cells is
beyond the scope of this document.
Register and lookup
and lookups that

o modify values, such

by going to the
et” button. However,
nd protected cells is
Remember to download the CIS Critical Security Controls (CIS Controls) Version 8 Guide where you can learn more about:
• This Version of the CIS Controls
• The CIS Controls Ecosystem ("It's not about the list")
• How to Get Started
• Using or Transitioning from Prior Versions of the CIS Controls
• Structure of the CIS Controls
• Implementation Groups
• Why is this Control critical
• Procedures and Tools

https://www.cisecurity.org/controls/v8/

This is a free tool with a dynamic list of the CIS Safeguards that can be filtered by Implementation Groups and mappings to multiple
frameworks.

https://www.cisecurity.org/controls/v8

Join our Community where you can discuss the CIS Controls with our global army of experts and volunteers!
https://workbench.cisecurity.org/dashboard

CIS CSAT (Controls Self Assessment Tool)

Overview: The CIS Controls® Self Assessment Tool, also known as CIS CSAT, enables organizations to assess and track their
implementation of the CIS Controls for Versions 8 and 7.1. The CIS Controls are a prioritized set of consensus-developed security best
practices used by organizations around the world to defend against cyber threats.

TWO TYPES:
CIS-Hosted CSAT: The CIS-hosted version of CIS CSAT is free to every organization for use in a non-commercial capacity to conduct
CIS Controls assessments of their organization. (released January 2019)
https://csat.cisecurity.org/

CIS CSAT Pro: The on-premises version of CIS CSAT is available exclusively for CIS SecureSuite Members. This version offers
additional features and benefits: Save time by using a simplified scoring method with a reduced number of questions, Decide whether to
opt in to share data and see how scores compare to industry average, Greater flexibility with organization trees for tracking
organizations, sub-organizations, and assessments, Assign users to different roles for different organizations/sub-organizations as well
as greater separation of administrative and non-administrative roles, Track multiple concurrent assessments in the same organization,
Easily access your tasks, assessments, and organizations from a consolidated home page, Includes CIS Controls Safeguard mappings
to NIST CSF, NIST SP 800-53, and PCI. (released August 2020)

https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat/
 Enterprise Name
Enterprise Risk
Scope
Assessment Criteria
Last Completed (Date)

Impact Criteria

Impact Scores Mission Operational Objectives

Definition

We would achieve our We would meet our

1. Acceptable
mission. objectives.
We would have to We would have to
reinvest or correct the reinvest or correct the
2. Unacceptable
situation to achieve our situation to achieve our
mission. objectives.

We would not be able to We would not be able to

3. Catastrophic
achieve our mission. meet our objectives.

What is the highest impact to the Mission, Operational Objectives, and

Obligations that each asset type could cause? To make this simple, add
values ('1' through '3') for "Enterprise" only and leave the indented rows
Inherent Risk Criteria
below "Enterprise" blank. If you wish to estimate risks for each Asset Class,
you must also add values to the rows that contain the Asset Classes you
wish to analyze.

Operational Objectives
Asset Class Mission Impact
Impact
Enterprise
Devices
Applications
Data
Network
Users

Risk Register
 NIST CSF Security
CIS Safeguard # CIS Safeguard Title
Function

Maintain Detailed Asset

1.4 Identify
Inventory

Address Unauthorized
1.6 Respond
Assets

Maintain Inventory of
2.1 Identify
Authorized Software

Ensure Software is
2.2 Identify
Supported by Vendor

Address Unapproved
2.6 Respond
Software

Deploy Automated
3.4 Operating System Patch Protect
Management Tools
 Deploy Automated
3.5 Software Patch Protect
Management Tools

Change Default
4.2 Protect
Passwords

Ensure the Use of

4.3 Dedicated Administrative Protect
Accounts

Establish Secure
5.1 Protect
Configurations

6.2 Activate Audit Logging Detect

Ensure Use of Only Fully

7.1 Supported Browsers and Protect
Email Clients

Use of DNS Filtering

7.7 Protect
Services
 Ensure Anti-Malware
8.2 Software and Signatures Protect
Are Updated

Configure Anti-Malware
8.4 Scanning of Removable Detect
Devices

Configure Devices to Not

8.5 Protect
Auto-Run Content

Apply Host-Based
9.4 Protect
Firewalls or Port-Filtering

Ensure Regular
10.1 Protect
Automated BackUps

Perform Complete
10.2 Protect
System Backups

10.4 Protect Backups Protect

Ensure All Backups

Have at Least One
10.5 Protect
Offline Backup
Destination
 Install the Latest Stable
Version of Any Security-
11.4 Protect
Related Updates on All
Network Devices

Maintain an Inventory of
12.1 Identify
Network Boundaries

Deny Communication
12.4 Protect
Over Unauthorized Ports

Maintain an Inventory of
13.1 Identify
Sensitive Information

Remove Sensitive Data

or Systems Not
13.2 Protect
Regularly Accessed by
Organization

Encrypt Mobile Device

13.6 Protect
Data
 Protect Information
14.6 Through Access Control Protect
Lists

Leverage the Advanced

Encryption Standard
15.7 Protect
(AES) to Encrypt
Wireless Data
Create Separate
Wireless Network for
15.10 Protect
Personal and Untrusted
Devices

Disable Any
16.8 Respond
Unassociated Accounts

Disable Dormant
16.9 Respond
Accounts

Lock Workstation
16.11 Protect
Sessions After Inactivity

Implement a Security
17.3 N/A
Awareness Program

Train Workforce on
17.5 N/A
Secure Authentication
 Train Workforce on
17.6 Identifying Social N/A
Engineering Attacks

Train Workforce on
17.7 N/A
Sensitive Data Handling

Train Workforce on
17.8 Causes of Unintentional N/A
Data Exposure

Train Workforce
17.9 Members on Identifying N/A
and Reporting Incidents

Document Incident
19.1 N/A
Response Procedures

Designate Management
19.3 Personnel to Support N/A
Incident Handling

Maintain Contact
Information For
19.5 N/A
Reporting Security
Incidents
 Publish Information
Regarding Reporting
19.6 N/A
Computer Anomalies
and Incidents
 Financial Objectives Obligations

The high dollar limit for

each impact score.

No harm would come to

others.

The harm that would

come to others would be
correctable.

The harm that would

come to others would not
be correctable.

n, Operational Objectives, and

ause? To make this simple, add
nly and leave the indented rows
estimate risks for each Asset Class,
at contain the Asset Classes you

Obligations Impact

Risk Analysis
 Impact to
Safeguard Maturity Expectancy Impact to
Asset Class VCDB Index Operational
Score Score Mission
Objectives

Devices 1 0 0

Devices 1 0 0

Applications 2 0 0

Applications 2 0 0

Applications 2 0 0

Devices 1 0 0
Devices 1 0 0

Users 3 0 0

Users 3 0 0

Devices 1 0 0

Devices 1 0 0

Devices 1 0 0

Devices 1 0 0
Devices 1 0 0

Devices 1 0 0

Devices 1 0 0

Network 1 0 0

Data 3 0 0

Data 3 0 0

Data 3 0 0

Data 3 0 0
Network 1 0 0

Network 1 0 0

Network 1 0 0

Data 3 0 0

Data 3 0 0

Devices 1 0 0
 Data 3 0 0

Network 1 0 0

Network 1 0 0

Users 3 0 0

Users 3 0 0

Devices 1 0 0

Users 3 0 0

Users 3 0 0
 Users 3 0 0

Users 3 0 0

Users 3 0 0

Users 3 0 0

Enterprise 3 0 0

Enterprise 3 0 0

Enterprise 3 0 0
Enterprise 3 0 0
Risk Register
 Impact to
Risk Score Risk Level Risk Treatment Option Risk Treatment Safeguard
Obligations

0 1.4

0 1.6

0 2.1

0 2.2

0 2.6

0 3.4
0 3.5

0 4.2

0 4.3

0 5.1

0 6.2

0 7.1

0 7.7
0 8.2

0 8.4

0 8.5

0 9.4

0 10.1

0 10.2

0 10.4

0 10.5
0 11.4

0 12.1

0 12.4

0 13.1

0 13.2

0 13.6
0 14.6

0 15.7

0 15.10

0 16.8

0 16.9

0 16.11

0 17.3

0 17.5
0 17.6

0 17.7

0 17.8

0 17.9

0 19.1

0 19.3

0 19.5
0 19.6
R
 Risk Treatment Risk Treatment
Safeguard Title Safeguard Description

Maintain an accurate and

up-to-date inventory of all
technology assets with the
potential to store or
process information. This
Maintain Detailed Asset Inventory
inventory shall include all
hardware assets, whether
connected to the
organization's network or
not.

Ensure that unauthorized

assets are either removed
from the network,
Address Unauthorized Assets
quarantined, or the
inventory is updated in a
timely manner.

Maintain an up-to-date list

of all authorized software
that is required in the
Maintain Inventory of Authorized Software
enterprise for any business
purpose on any business
system.

Ensure that only software

applications or operating
systems currently
supported by the
software's vendor are
Ensure Software is Supported by Vendor added to the organization's
authorized software
inventory. Unsupported
software should be tagged
as unsupported in the
inventory system.

Ensure that unauthorized

software is either removed
Address Unapproved Software
or the inventory is updated
in a timely manner.

Deploy automated software

update tools in order to
ensure that the operating
Deploy Automated Operating System Patch Management Tools systems are running the
most recent security
updates provided by the
software vendor.
 Deploy automated software
update tools in order to
ensure that third-party
Deploy Automated Software Patch Management Tools software on all systems is
running the most recent
security updates provided
by the software vendor.

Before deploying any new

asset, change all default
passwords to have values
Change Default Passwords
consistent with
administrative level
accounts.

Ensure that all users with

administrative account
access use a dedicated or
secondary account for
elevated activities. This
Ensure the Use of Dedicated Administrative Accounts
account should only be
used for administrative
activities and not internet
browsing, email, or similar
activities.

Maintain documented,
standard security
Establish Secure Configurations configuration standards for
all authorized operating
systems and software.

Ensure that local logging

has been enabled on all
Activate Audit Logging
systems and networking
devices.

Ensure that only fully

supported web browsers
and email clients are
allowed to execute in the
Ensure Use of Only Fully Supported Browsers and Email Clients organization, ideally only
using the latest version of
the browsers and email
clients provided by the
vendor.

Use DNS filtering services

Use of DNS Filtering Services to help block access to
known malicious domains.
 Ensure that the
organization's anti-malware
software updates its
Ensure Anti-Malware Software and Signatures Are Updated
scanning engine and
signature database on a
regular basis.

Configure devices so that

they automatically conduct
Configure Anti-Malware Scanning of Removable Devices an anti-malware scan of
removable media when
inserted or connected.

Configure devices to not

Configure Devices to Not Auto-Run Content auto-run content from
removable media.

Apply host-based firewalls

or port filtering tools on end
systems, with a default-
Apply Host-Based Firewalls or Port-Filtering deny rule that drops all
traffic except those
services and ports that are
explicitly allowed.

Ensure that all system data

Ensure Regular Automated BackUps is automatically backed up
on a regular basis.

Ensure that each of the

organization's key systems
are backed up as a
complete system, through
Perform Complete System Backups
processes such as
imaging, to enable the
quick recovery of an entire
system.

Ensure that backups are

properly protected via
physical security or
encryption when they are
Protect Backups stored, as well as when
they are moved across the
network. This includes
remote backups and cloud
services.

Ensure that all backups

have at least one backup
destination that is not
Ensure All Backups Have at Least One Offline Backup Destination
continuously addressable
through operating system
calls.
 Install the latest stable
Install the Latest Stable Version of Any Security-Related Updates on version of any security-
All Network Devices related updates on all
network devices.

Maintain an up-to-date
inventory of all of the
Maintain an Inventory of Network Boundaries
organization's network
boundaries.

Deny communication over

unauthorized TCP or UDP
ports or application traffic
to ensure that only
authorized protocols are
Deny Communication Over Unauthorized Ports
allowed to cross the
network boundary in or out
of the network at each of
the organization's network
boundaries.

Maintain an inventory of all

sensitive information
stored, processed, or
transmitted by the
Maintain an Inventory of Sensitive Information
organization's technology
systems, including those
located onsite or at a
remote service provider.

Remove sensitive data or

systems not regularly
accessed by the
organization from the
network. These systems
shall only be used as stand
Remove Sensitive Data or Systems Not Regularly Accessed by alone systems
Organization (disconnected from the
network) by the business
unit needing to
occasionally use the
system or completely
virtualized and powered off
until needed.

Utilize approved whole disk

encryption software to
Encrypt Mobile Device Data
encrypt the hard drive of all
mobile devices.
 Protect all information
stored on systems with file
system, network share,
claims, application, or
database specific access
control lists. These controls
Protect Information Through Access Control Lists will enforce the principle
that only authorized
individuals should have
access to the information
based on their need to
access the information as a
part of their responsibilities.

Leverage the Advanced

Leverage the Advanced Encryption Standard (AES) to Encrypt Encryption Standard (AES)
Wireless Data to encrypt wireless data in
transit.
Maintain an inventory of
Create Separate Wireless Network for Personal and Untrusted authorized wireless access
Devices points connected to the
wired network.
Disable any account that
cannot be associated with
Disable Any Unassociated Accounts
a business process or
business owner.
Automatically disable
Disable Dormant Accounts dormant accounts after a
set period of inactivity.
Automatically lock
workstation sessions after
Lock Workstation Sessions After Inactivity
a standard period of
inactivity.

Create a security
awareness program for all
workforce members to
complete on a regular
basis to ensure they
understand and exhibit the
necessary behaviors and
Implement a Security Awareness Program skills to help ensure the
security of the
organization. The
organization's security
awareness program should
be communicated in a
continuous and engaging
manner.

Train workforce members

on the importance of
Train Workforce on Secure Authentication
enabling and utilizing
secure authentication.
 Train the workforce on how
to identify different forms of
social engineering attacks,
Train Workforce on Identifying Social Engineering Attacks
such as phishing, phone
scams, and impersonation
calls.

Train workforce on how to

identify and properly store,
Train Workforce on Sensitive Data Handling transfer, archive, and
destroy sensitive
information.

Train workforce members

to be aware of causes for
unintentional data
exposures, such as losing
Train Workforce on Causes of Unintentional Data Exposure
their mobile devices or
emailing the wrong person
due to autocomplete in
email.

Train employees to be able

to identify the most
Train Workforce Members on Identifying and Reporting Incidents common indicators of an
incident and be able to
report such an incident.
Ensure that there are
written incident response
plans that define roles of
Document Incident Response Procedures
personnel as well as
phases of incident
handling/management.

Designate management
personnel, as well as
backups, who will support
Designate Management Personnel to Support Incident Handling
the incident handling
process by acting in key
decision-making roles.

Assemble and maintain

information on third-party
contact information to be
used to report a security
Maintain Contact Information For Reporting Security Incidents incident, such as Law
Enforcement, relevant
government departments,
vendors, and ISAC
partners.
 Publish information for all
workforce members,
regarding reporting
computer anomalies and
Publish Information Regarding Reporting Computer Anomalies and incidents to the incident
Incidents handling team. Such
information should be
included in routine
employee awareness
activities.
Risk Treatment
 Risk Treatment Risk Treatment Risk Treatment
Our Planned
Safeguard Maturity Safeguard Expectancy Safeguard Impact
Implementation
Score Score to Mission

0
0

0
0

0
0

0
0

0
0

0
0
 Risk Treatment
Risk Treatment Risk Treatment
Safeguard Impact Reasonable and Risk Treatment
Safeguard Impact Safeguard Risk
to Operational Acceptable Safeguard Cost
to Obligations Score
Objectives

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No
Reasonable Annual Cost
 Impact to
Implementation Implementatio Reasonabl
Financial Year
Quarter n Year e?
Objectives

$ - 2021 Yes

$ - 2022 Yes

$ - 2023 Yes

$ - 2024 Yes

$ - 2025 Yes

$ - 2026 Yes
$ - 2027 Yes

$ - 2028 Yes

$ - 2029 Yes

$ - 2030 Yes
 Enterprise Name
Enterprise Risk
Scope
Assessment Criteria
Last Completed (Date)

Impact Criteria

Impact Scores Mission Operational Objectives

Definition

We would achieve our We would meet our

1. Acceptable
mission. objectives.
We would have to We would have to
reinvest or correct the reinvest or correct the
2. Unacceptable
situation to achieve our situation to achieve our
mission. objectives.

We would not be able to We would not be able to

3. Catastrophic
achieve our mission. meet our objectives.

What is the highest impact to the Mission, Operational Objectives, and

Obligations that each Asset Type could cause? To make this simple, add
values ('1' through '3') for "Enterprise" only and leave the indented rows
Inherent Risk Criteria
below "Enterprise" blank. If you wish to estimate risks for each Asset Class,
you must also add values to the rows that contain the Asset Classes you
wish to analyze.

Operational Objectives
Asset Class Mission Impact
Impact
Enterprise
Devices
Applications
Data
Network
Users

Risk Register
 NIST CSF Security
CIS Safeguard # CIS Safeguard Title
Function

Establish and Maintain

1.1 Detailed Enterprise Identify
Asset Inventory

Address Unauthorized
1.2 Respond
Assets

Establish and Maintain a

2.1 Identify
Software Inventory

Ensure Authorized
2.2 Software is Currently Identify
Supported

Address Unauthorized
2.3 Respond
Software

Establish and Maintain a

3.1 Data Management Identify
Process

Establish and Maintain a

3.2 Identify
Data Inventory

Configure Data Access

3.3 Protect
Control Lists
3.4 Enforce Data Retention Protect
Securely Dispose of
3.5 Protect
Data
Encrypt Data on End-
3.6 Protect
User Devices

Establish and Maintain a

4.1 Secure Configuration Protect
Process
 Establish and Maintain a
Secure Configuration
4.2 Protect
Process for Network
Infrastructure
Configure Automatic
4.3 Session Locking on Protect
Enterprise Assets
Implement and Manage
4.4 Protect
a Firewall on Servers
Implement and Manage
4.5 a Firewall on End-User Protect
Devices

Securely Manage
4.6 Enterprise Assets and Protect
Software

Manage Default
4.7 Accounts on Enterprise Protect
Assets and Software

Establish and Maintain

5.1 Identify
an Inventory of Accounts

5.2 Use Unique Passwords Protect

Disable Dormant
5.3 Respond
Accounts
Restrict Administrator
5.4 Privileges to Dedicated Protect
Administrator Accounts
Establish an Access
6.1 Protect
Granting Process

Establish an Access
6.2 Protect
Revoking Process

Require MFA for

6.3 Externally-Exposed Protect
Applications

Require MFA for Remote

6.4 Protect
Network Access

Require MFA for

6.5 Protect
Administrative Access
Establish and Maintain a
7.1 Vulnerability Protect
Management Process
Establish and Maintain a
7.2 Respond
Remediation Process
Perform Automated
7.3 Operating System Patch Protect
Management
 Perform Automated
7.4 Application Patch Protect
Management

Establish and Maintain

8.1 an Audit Log Protect
Management Process

8.2 Collect Audit Logs Detect

Ensure Adequate Audit
8.3 Protect
Log Storage

Ensure Use of Only Fully

9.1 Supported Browsers and Protect
Email Clients

Use DNS Filtering

9.2 Protect
Services
Deploy and Maintain
10.1 Protect
Anti-Malware Software
Configure Automatic
10.2 Anti-Malware Signature Protect
Updates
Disable Autorun and
10.3 Autoplay for Removable Protect
Media

Establish and Maintain a

11.1 Recover
Data Recovery Process

Perform Automated
11.2 Recover
Backups
11.3 Protect Recovery Data Protect

Establish and Maintain

11.4 an Isolated Instance of Recover
Recovery Data
Ensure Network
12.1 Infrastructure is Up-to- Protect
Date

Establish and Maintain a

14.1 Security Awareness Protect
Program

Train Workforce
Members to Recognize
14.2 Protect
Social Engineering
Attacks
Train Workforce
Members on
14.3 Protect
Authentication Best
Practices
 Train Workforce on Data
14.4 Protect
Handling Best Practices

Train Workforce
Members on Causes of
14.5 Protect
Unintentional Data
Exposure
Train Workforce
Members on
14.6 Recognizing and Protect
Reporting Security
Incidents

Train Workforce on How

to Identify and Report if
14.7 Their Enterprise Assets Protect
are Missing Security
Updates

Train Workforce on the

Dangers of Connecting
14.8 to and Transmitting Protect
Enterprise Data Over
Insecure Networks

Establish and Maintain

15.1 an Inventory of Service Identify
Providers

Designate Personnel to
17.1 Manage Incident Respond
Handling

Establish and Maintain

Contact Information for
17.2 Respond
Reporting Security
Incidents

Establish and Maintain

17.3 an Enterprise Process Respond
for Reporting Incidents
 Financial Objectives Obligations

The high dollar limit for

each impact score.

No harm would come to

others.

The harm that would

come to others would be
correctable.

The harm that would

come to others would not
be correctable.

n, Operational Objectives, and

cause? To make this simple, add
nly and leave the indented rows
estimate risks for each Asset Class,
at contain the Asset Classes you

Obligations Impact

Risk Analysis
 Impact to
Safeguard Maturity Expectancy Impact to
Asset Class VCDB Index Operational
Score Score Mission
Objectives

Devices 1 0 0

Devices 1 0 0

Applications 2 0 0

Applications 2 0 0

Applications 2 0 0

Data 3 0 0

Data 3 0 0

Data 3 0 0

Data 3 0 0

Data 3 0 0

Devices 1 0 0

Applications 2 0 0
Network 1 0 0

Users 3 0 0

Devices 1 0 0

Devices 1 0 0

Network 1 0 0

Users 3 0 0

Users 3 0 0

Users 3 0 0

Users 3 0 0

Users 3 0 0

Users 3 0 0

Users 3 0 0

Users 3 0 0

Users 3 0 0

Users 3 0 0

Applications 2 0 0

Applications 2 0 0

Applications 2 0 0
Applications 2 0 0

Network 1 0 0

Network 1 0 0

Network 1 0 0

Applications 2 0 0

Network 1 0 0

Devices 1 0 0

Devices 1 0 0

Devices 1 0 0

Data 3 0 0

Data 3 0 0

Data 3 0 0

Data 3 0 0

Network 1 0 0

Enterprise 3 0 0

Enterprise 3 0 0

Enterprise 3 0 0
Enterprise 3 0 0

Enterprise 3 0 0

Enterprise 3 0 0

Enterprise 3 0 0

Enterprise 3 0 0

Enterprise 3 0 0

Enterprise 3 0 0

Enterprise 3 0 0

Enterprise 3 0 0
Risk Register
 Impact to
Risk Score Risk Level Risk Treatment Option Risk Treatment Safeguard
Obligations

0 1.1

0 1.2

0 2.1

0 2.2

0 2.3

0 3.1

0 3.2

0 3.3

0 3.4

0 3.5

0 3.6

0 4.1
0 4.2

0 4.3

0 4.4

0 4.5

0 4.6

0 4.7

0 5.1

0 5.2

0 5.3

0 5.4

0 6.1

0 6.2

0 6.3

0 6.4

0 6.5

0 7.1

0 7.2

0 7.3
0 7.4

0 8.1

0 8.2

0 8.3

0 9.1

0 9.2

0 10.1

0 10.2

0 10.3

0 11.1

0 11.2

0 11.3

0 11.4

0 12.1

0 14.1

0 14.2

0 14.3
0 14.4

0 14.5

0 14.6

0 14.7

0 14.8

0 15.1

0 17.1

0 17.2

0 17.3
 Risk Treatment
Safeguard Title

Establish and Maintain Detailed Enterprise Asset Inventory

Address Unauthorized Assets

Establish and Maintain a Software Inventory

Ensure Authorized Software is Currently Supported

Address Unauthorized Software

Establish and Maintain a Data Management Process

Establish and Maintain a Data Inventory

Configure Data Access Control Lists

Enforce Data Retention

Securely Dispose of Data

Encrypt Data on End-User Devices

Establish and Maintain a Secure Configuration Process

Establish and Maintain a Secure Configuration Process for Network Infrastructure

Configure Automatic Session Locking on Enterprise Assets

Implement and Manage a Firewall on Servers

Implement and Manage a Firewall on End-User Devices

Securely Manage Enterprise Assets and Software

Manage Default Accounts on Enterprise Assets and Software

Establish and Maintain an Inventory of Accounts

Use Unique Passwords

Disable Dormant Accounts

Restrict Administrator Privileges to Dedicated Administrator Accounts

Establish an Access Granting Process

Establish an Access Revoking Process

Require MFA for Externally-Exposed Applications

Require MFA for Remote Network Access

Require MFA for Administrative Access

Establish and Maintain a Vulnerability Management Process

Establish and Maintain a Remediation Process

Perform Automated Operating System Patch Management

Perform Automated Application Patch Management

Establish and Maintain an Audit Log Management Process

Collect Audit Logs

Ensure Adequate Audit Log Storage

Ensure Use of Only Fully Supported Browsers and Email Clients

Use DNS Filtering Services

Deploy and Maintain Anti-Malware Software

Configure Automatic Anti-Malware Signature Updates

Disable Autorun and Autoplay for Removable Media

Establish and Maintain a Data Recovery Process

Perform Automated Backups

Protect Recovery Data

Establish and Maintain an Isolated Instance of Recovery Data

Ensure Network Infrastructure is Up-to-Date

Establish and Maintain a Security Awareness Program

Train Workforce Members to Recognize Social Engineering Attacks

Train Workforce Members on Authentication Best Practices

Train Workforce on Data Handling Best Practices

Train Workforce Members on Causes of Unintentional Data Exposure

Train Workforce Members on Recognizing and Reporting Security Incidents

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security
Updates

Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over
Insecure Networks

Establish and Maintain an Inventory of Service Providers

Designate Personnel to Manage Incident Handling

Establish and Maintain Contact Information for Reporting Security Incidents

Establish and Maintain an Enterprise Process for Reporting Incidents

Risk Treatment
 Risk Treatment
Safeguard Description

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential
to store or process data, to include: end-user devices (including portable and mobile), network devices, non-
computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and whether the asset has been
approved to connect to the network. For mobile end-user devices, MDM type tools can support this process,
where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely,
and those within cloud environments. Additionally, it includes assets that are regularly connected to the
enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the
inventory of all enterprise assets bi-annually, or more frequently.

Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to
remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the
asset.

Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software
inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where
appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism,
and decommission date. Review and update the software inventory bi-annually, or more frequently.

Ensure that only currently supported software is designated as authorized in the software inventory for
enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission,
document an exception detailing mitigating controls and residual risk acceptance. For any unsupported
software without an exception documentation, designate as unauthorized. Review the software list to verify
software support at least monthly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented
exception. Review monthly, or more frequently.
Establish and maintain a data management process. In the process, address data sensitivity, data owner,
handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards
for the enterprise. Review and update documentation annually, or when significant enterprise changes occur
that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory
sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive
data.
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known
as access permissions, to local and remote file systems, databases, and applications.
Retain data according to the enterprise’s data management process. Data retention must include both minimum
and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal
process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows
BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain a secure configuration process for enterprise assets (end-user devices, including
portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and
applications). Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.

Configure automatic session locking on enterprise assets after a defined period of inactivity. For general
purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period
must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example implementations include a virtual
firewall, operating system firewall, or a third-party firewall agent.

Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule
that drops all traffic except those services and ports that are explicitly allowed.

Securely manage enterprise assets and software. Example implementations include managing configuration
through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network
protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.

Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-
configured vendor accounts. Example implementations can include: disabling default accounts or making them
unusable.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both
user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username,
start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.

Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-
character password for accounts using MFA and a 14-character password for accounts not using MFA.

Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.

Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general
computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-
privileged account.
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire,
rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through
disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling
accounts, instead of deleting accounts, may be necessary to preserve audit trails.

Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported.
Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.

Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether
managed on-site or through a third-party provider.

Establish and maintain a documented vulnerability management process for enterprise assets. Review and
update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly,
or more frequent, reviews.

Perform operating system updates on enterprise assets through automated patch management on a monthly,
or more frequent, basis.
Perform application updates on enterprise assets through automated patch management on a monthly, or more
frequent, basis.

Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At
a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled
across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log
management process.

Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the
latest version of browsers and email clients provided through the vendor.

Use DNS filtering services on all enterprise assets to block access to known malicious domains.

Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable media.

Establish and maintain a data recovery process. In the process, address the scope of data recovery activities,
recovery prioritization, and the security of backup data. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on
the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation,
based on requirements.

Establish and maintain an isolated instance of recovery data. Example implementations include, version
controlling backup destinations through offline, cloud, or off-site systems or services.

Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable
release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software
versions monthly, or more frequently, to verify software support.
Establish and maintain a security awareness program. The purpose of a security awareness program is to
educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner.
Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant
enterprise changes occur that could impact this Safeguard.

Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

Train workforce members on authentication best practices. Example topics include MFA, password
composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data.
This also includes training workforce members on clear screen and desk best practices, such as locking their
screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of
meetings, and storing data and assets securely.

Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-
delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to report such an incident.

Train workforce to understand how to verify and report out-of-date software patches or any failures in
automated processes and tools. Part of this training should include notifying IT personnel of any failures in
automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for
enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all
users securely configure their home network infrastructure.

Establish and maintain an inventory of service providers. The inventory is to list all known service providers,
include classification(s), and designate an enterprise contact for each service provider. Review and update the
inventory annually, or when significant enterprise changes occur that could impact this Safeguard.

Designate one key person, and at least one backup, who will manage the enterprise’s incident handling
process. Management personnel are responsible for the coordination and documentation of incident response
and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid
approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any
third-party work. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts
may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant
government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify
contacts annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The process
includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to
be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
nt
 Risk Treatment Risk Treatment Risk Treatment
Our Planned
Safeguard Maturity Safeguard Expectancy Safeguard Impact
Implementation
Score Score to Mission

0
0

0
0

0
0

0
 Risk Treatment
Risk Treatment Risk Treatment
Safeguard Impact Reasonable and Risk Treatment
Safeguard Impact Safeguard Risk
to Operational Acceptable Safeguard Cost
to Obligations Score
Objectives

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
Reasonable Annual Cost
 Impact to
Implementation Implementatio Reasonabl
Financial Year
Quarter n Year e?
Objectives

$ - 2021 Yes

$ - 2022 Yes

$ - 2023 Yes

$ - 2024 Yes

$ - 2025 Yes

$ - 2026 Yes

$ - 2027 Yes

$ - 2028 Yes

$ - 2029 Yes

$ - 2030 Yes
 Color

Color Key

Title
CIS Safeguard #
CIS Safeguard Title
NIST CSF Security Function
Asset Class
Safeguard Maturity Score

VCDB Index
Risk Analysis
Expectancy Score
Impact to Mission
Impact to Operational Objectives
Impact to Obligations
Risk Score
Risk Level
Risk Treatment Option
Risk Treatment Safeguard

Risk Treatment Safeguard Title

Risk Treatment Safeguard
Description
Our Planned Implementation
Risk Treatment Safeguard
Maturity Score
Risk Treatment Safeguard
Risk Expectancy Score
Treatment Risk Treatment Safeguard
Impact to Mission

Risk Treatment Safeguard

Impact to Operational Objectives

Risk Treatment Safeguard

Impact to Obligations
Risk Treatment Safeguard Risk
Score
Reasonable and Acceptable
 Risk Treatment Safeguard Cost
Implementation Quarter
Implementation Year

Impact to Financial Objectives

Reasonable
Annual Cost Year
Reasonable?
 Meaning
Automated or fixed values on the Risk Analysis side of the Risk Register. While the worksheet
is in protected mode, these values cannot be changed.
Automated or fixed values on the Risk Treatment side of the Risk Register. While the
worksheet is in protected mode, these values cannot be changed.
For user input. Risk assessors will add values into these columns.

For optional user input. Risk assessors may add values into these columns if it's useful to
them.
Automated or fixed values on the Reasonable Annual Cost side of the Risk Register. While the
worksheet is in protected mode, these values cannot be changed.

Meaning
The unique CIS Safeguard identifier, as published in the CIS Controls.
The title of the CIS Safeguard, as published in the CIS Controls.
Mapping between the NIST CSF Security Functions and CIS Safeguards, as published in the
CIS Controls.
The asset class, as published in the CIS Controls.
A score of '1' through '5' designating the reliability of a Safeguard's effectiveness against
threats.
An automatically calculated value to represent how common the related threat is as a cause for
reported cybersecurity incidents.
An automatically calculated value to represent how commonly the related threat would be the
cause of a cybersecurity incident, given your current Safeguard.
The magnitude of harm that a successful threat would cause to your Mission.
The magnitude of harm that a successful threat would cause to your Operational Objectives.
The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Expectancy and the highest of the three Impacts.
An evaluation of the risk as acceptable, unacceptable, or catastrophic.
A statement about whether the enterprise will accept or reduce the risk.
The unique CIS Safeguard identifier, as published in the CIS Controls.

The title of the CIS Safeguard, as published in the CIS Controls.

The description of the CIS Safeguard, as published in the CIS Controls.

A brief description of how the Safeguard will be implemented and operated in the enterprise.
A score of '1' through '5' designating the planned reliability of a Safeguard's effectiveness
against threats.
An automatically calculated value to represent how commonly the related threat would be the
cause of a cybersecurity incident, given the planned Safeguard.
The magnitude of harm that a successful threat would cause to your Mission.

The magnitude of harm that a successful threat would cause to your Operational Objectives.

The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Expectancy and the highest of the three impacts, given the planned
Safeguard.
A determination of whether the planned Safeguard is reasonable and acceptable.
An estimate of how much the Safeguard is expected to cost.
When the Safeguard is planned for completion of implementation (which quarter).
When the Safeguard is planned for completion of implementation (which year).

The total Risk Treatment Safeguard Cost for the year.

The year the total cost was incurred.
Whether or not the total cost falls above or below the acceptable limit, based on the
Acceptable Criteria for the enterprise's Financial Objectives.
 Impact Criteria
Impact Scores Mission Operational Objectives

Definition Required Required

1. Acceptable We would achieve our mission. We would meet our objectives.
We would have to reinvest or correct We would have to reinvest or correct
2. Unacceptable
the situation to achieve our mission. the situation to achieve our objectives.

We would not be able to achieve our We would not be able to meet our
3. Catastrophic
mission. objectives.

Inherent Risk Criteria

Asset Class Mission Impact Operational Objectives Impact
Enterprise Required Required
Devices Optional Optional
Applications Optional Optional
Data Optional Optional

Network Optional Optional

Users Optional Optional

Risk Levels
Red Red indicates that the risk is “urgent.”
Yellow indicates that the risk is
Yellow
“unacceptably high, but not urgent.”
Green indicates that the risk evaluates
Green
as “acceptable.”
Criteria
Financial Objectives Obligations
The high dollar limit for each impact
Required
score.
Optional No harm would come to others.
The harm that would come to others
Optional
would be correctable.

The harm that would come to others

would not be correctable.

Obligations Impact
Required
Optional
Optional
Optional

Optional

Optional
Maturity Scores

Maturity Scores
1
2
3
4
5

Expectancy Criteria

Expectancy Scores
1
2
3

Risk Acceptance Criteria

Acceptable Risk Score

<6

VCDB Index

Incident Count
Asset Class
Enterprise
Applications
Data
Devices
Network
Users
Unknown

VCDB Index Weight Table

VCDB Index Lookup

51
52
53
54
55
41
42
43
44
45
31
32
33
34
35
21
22
23
24
25
11
12
13
14
15
Used for "Safeguard Maturity Score" and "Risk Treatment Safeguard Maturity Score"

Definition
Safeguard is not implemented or is inconsistently implemented.
Safeguard is implemented fully on some assets or partially on all assets.
Safeguard is implemented on all assets.
Safeguard is tested and inconsistencies are corrected.
Safeguard has mechanisms that ensure consistent implementation over time.

Used for "Expectancy Score" and "Risk Treatment Safeguard Expectancy Score"

Expectancy Definition
The risk is not expected in this environment.
This risk should be expected to cause a security incident at some time.
We should expect this to happen soon, if it has not already occurred.

Used to evaluate risk acceptance

Risk Acceptance Criteria

All scores lower than '6' may be automatically accepted. All other risks must be reduced.

Used to populate "VCDB Index"

8893
Sum of Threat Count / Industry
4458
1253
4458
798
62
4458
863

Used to calculate "Expectancy Score" and "Risk Treatment Safeguard Expectancy Score"

Maturity
5
5
5
5
5
4
4
4
4
4
3
3
3
3
3
2
2
2
2
2
1
1
1
1
1
As of 7/29/2021
Percentage Index
50% 3
14% 2
50% 3
9% 1
1% 1
50% 3
10% 1

VCDB Index Expectancy

1 1
2 1
3 1
4 1
5 2
1 1
2 1
3 2
4 2
5 2
1 2
2 2
3 2
4 3
5 3
1 2
2 2
3 2
4 3
5 3
1 2
2 3
3 3
4 3
5 3
 CIS CSAT Pro
CIS CSAT Pro for CIS Controls v7.1

CSAT Pro Export CSAT Pro Score CIS RAM Maturity

v7.1 IG1 Safeguard #
Score (Stripped) Score Final
1.4
1.6
2.1
2.2

2.6

3.4

3.5

4.2

4.3

5.1

6.2

7.1

7.7

8.2
8.4
8.5
9.4
10.1
10.2
10.4
10.5
11.4
12.1
12.4
13.1
13.2
13.6
14.6
15.7
15.10
16.8
16.9
16.11
17.3
17.5
17.6
17.7
17.8
17.9
19.1
19.3
19.5
19.6
SAT Pro
CIS CSAT Pro for CIS Controls v8.0

CSAT Pro Export CSAT Pro Score CIS RAM Maturity

v8 IG1 Safeguard #
Score (Stripped) Score Final
1.1
1.2
2.1
2.2

2.3

3.1

3.2

3.3

3.4

3.5

3.6

4.1

4.2

4.3
4.4
4.5
4.6
4.7
5.1
5.2
5.3
5.4
6.1
6.2
6.3
6.4
6.5
7.1
7.2
7.3
7.4
8.1
8.2
 8.3
9.1
9.2
10.1
10.2
10.3
11.1
11.2
11.3
11.4
12.1
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
15.1
17.1
17.2
17.3
Instructions for Importing CIS CSAT Pro Scores
into CIS RAM
1) In CIS CSAT Pro, filter on IG1 and Export Filtered CSV.
a. Go to the Assessment Summary page for the assessment of interest (this is reachable from the
Assessment Summary tab at the top of the Assessment Dashboard for that assessment).
b. Click the Filter button.
c. Select "IG-1" for the Implementation Group filter and click Search.
d. Click the "Export Filtered CSV" button to export the report.
2) Copy your scores from the exported CSAT Pro CSV file to the CIS RAM for IG1 Workbook.
a. In the CSAT Pro CSV file, copy the contents of column E (labeled “Sub-Control Score”) excluding
the heading row.
b. Go to the “CIS CSAT Pro” tab in the CIS RAM for IG1 Workbook.

c. Find the appropriate section in the “CIS CSAT Pro” tab based on which CIS Controls version you
are using (either CSAT Pro for CIS Controls v7.1 or CSAT Pro for CIS Controls v8.0).

d. Paste the copied data into the appropriate section of the “CIS CSAT Pro” tab.
e. For instance, if you are using Controls v7.1, you might copy cells E2 to E44 from the CSAT Pro
CSV to C5 to C47 in the “CIS CSAT Pro” tab of the CIS RAM for IG1 Workbook.
3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, copy the scores in the “CIS RAM Maturity Score Final” column into the
"Safeguard Maturity Score" column of the appropriate CIS RAM tab – “Risk Register 7.1 for IG1” for v7.1 of
the CIS Controls or “Risk Register 8 for IG1” for v8 of the CIS Controls.
a. Right-click to copy and "Paste Special" as "Values" (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT”
tabs, if present. If copied, these values can be deleted from the “Safeguard Maturity Score” cell and
will not affect the functionality of the CIS RAM Risk Register.
Note: Please ensure that your enterprise's method for scoring Safeguards in CSAT Pro
aligns closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.

Maturity Scores

2
3
4
5
lease ensure that your enterprise's method for scoring Safeguards in CSAT Pro
closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.

Definition

Safeguard is not implemented or is inconsistently implemented.

Safeguard is implemented fully on some assets or partially on all assets.

Safeguard is implemented on all assets.
Safeguard is tested and inconsistencies are corrected.
Safeguard has mechanisms that ensure consistent implementation over time.
 CIS-Hosted CSAT
Policy Defined Control Implemented
Maturity Scores

1 No Policy Not Implemented

2 Informal Policy Parts of Policy Implemented

3 Partially Written Policy Implemented on Some Systems

4 Written Policy Implemented on Most Systems

5 Approved Written Policy Implemented on All Systems

Unknown - Unscored None None

Unknown - N/A Not Applicable Not Applicable

CIS-Hosted CSAT for

CIS-Hosted CSAT Values From XLSX Export
CIS Controls v7.1

v7.1 IG1 Safeguard # Policy Defined Control Implemented

1.4

1.6

2.1

2.2

2.6

3.4

3.5

4.2
4.3
5.1
6.2
7.1
7.7
8.2
8.4
 8.5
9.4
10.1
10.2
10.4
10.5
11.4
12.1
12.4
13.1
13.2
13.6
14.6
15.7
15.10
16.8
16.9
16.11
17.3
17.5
17.6
17.7
17.8
17.9
19.1
19.3
19.5
19.6
 CIS-Hosted CSAT
Control Automated Control Reported
Maturity Scores

Not Automated Not Reported 1

Parts of Policy Automated Parts of Policy Reported 2

Automated on Some Systems Reported on Some Systems 3

Automated on Most Systems Reported on Most Systems 4

Automated on All Systems Reported on All Systems 5

Unknown -
None None
Unscored

Not Applicable Not Applicable Unknown - N/A

d CSAT Values From XLSX Export Calculated Numerical Score

Control Automated Control Reported Policy Defined Control Implemented

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
 CIS-Hosted CSA

ulated Numerical Score

CIS RAM Maturity Score CIS RAM Maturity Score
Average Final
Control Automated Control Reported

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
sted CSAT

CIS-Hosted CSAT for CIS

CIS-Hosted CSAT Values From XLSX Export
Controls v8.0

v8 IG1 Safeguard # Policy Defined Control Implemented

1.1

1.2

2.1

2.2

2.3

3.1

3.2

3.3
3.4
3.5
3.6
4.1
4.2
4.3
4.4
4.5
4.6
4.7
5.1
5.2
5.3
5.4
6.1
6.2
6.3
6.4
6.5
7.1
7.2
7.3
7.4
8.1
8.2
8.3
9.1
9.2
10.1
10.2
10.3
11.1
11.2
11.3
11.4
12.1
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
15.1
17.1
17.2
17.3
CSAT Values From XLSX Export Calculated Numerical Score

Control Automated Control Reported Policy Defined Control Implemented

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
lculated Numerical Score
CIS RAM Maturity CIS RAM Maturity
Score Average Score Final
Control Automated Control Reported

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
Instructions for Importing CIS-Hosted CSAT Scores
RAM

1) In CIS-Hosted CSAT, filter on IG1 and export the filtered Safeguards

a. Go to the All Controls page for the assessment of interest (this is reachable from the All Controls
the left under “Current Assessment”).
b. Click the Filter button.
c. Select “Group 1” for the Implementation Group filter and click Filter.

d. Check to see if any of these Safeguards are in the blue (Not Assessed) state. You can see this
will be a colored circle in each row by the Safeguard number. Any Safeguards that have a blue circle
you have any blue Safeguards and you want to continue these steps, one way to get them out of the

i. Select the checkbox next to each blue Safeguard.

ii. Select “Un-Assign the control” from the Bulk Action option dropdown and click the “Save”
dropdown. Please note: If any of the selected Safeguards were assigned, this will remove th
date.
e. Click the Download Report button to export the report.
2) Copy your scores from the exported CIS-Hosted CSAT XLSX file to the CIS RAM for IG1 Workbook.
a. In the CIS-Hosted CSAT XLSX file, copy the contents of columns E through H (labeled Policy D
Implemented, Control Automated, and Control Reported) excluding the heading row.

b. Go to the “CIS-Hosted CSAT” tab in the CIS RAM for IG1 Workbook.
c. Find the appropriate section in the “CIS-Hosted CSAT” tab based on which CIS Controls version
CIS-Hosted CSAT for CIS Controls v7.1 or CIS-Hosted CSAT for CIS Controls v8.0).
d. Paste the copied data into the appropriate section of the “CIS-Hosted CSAT” tab.

e. For instance, if you are using Controls v7.1, you might copy the cells from E2:E44 over to H2:H4
CSAT XLSX file, select cell C14 in the “CIS-Hosted CSAT” tab in the CIS RAM for IG1 Workbook an

3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, copy the scores in the “CIS RAM Maturity Score Final” column into the “Safeguar
column of the appropriate CIS RAM tab – “Risk Register 7.1 for IG1” for v7.1 of the CIS Controls or “Risk Re
of the CIS Controls.
a. Right-click to copy and "Paste Special" as "Values" (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT
copied, these values can be deleted from the “Safeguard Maturity Score” cell and will not affect the f
RAM Risk Register.
 Note: This method will average the four scoring categories in CIS-Hosted CSAT for each Safegu
those averages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, a
to ensure this method aligns closely enough for your enterprise's scoring practice

Maturity Scores

3
4

5
is method will average the four scoring categories in CIS-Hosted CSAT for each Safeguard and aligns
ages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, as defined below,
to ensure this method aligns closely enough for your enterprise's scoring practices.

Definition

Safeguard is not implemented or is inconsistently implemented.

Safeguard is implemented fully on some assets or partially on all assets.

Safeguard is implemented on all assets.

Safeguard is tested and inconsistencies are corrected.

Safeguard has mechanisms that ensure consistent implementation over time.

 Enterprise Name State College
Enterprise Risk
Scope All assets
Assessment Criteria
Last Completed (Date) 20-Aug-21

Impact Criteria

Impact Scores Mission Operational Objectives

To prepare each
generation to succeed to
the best of their ability; To
inspire young artists to
Maintain an operational
find their voice; To meet
Definition budget; Grow the
or exceed performance
Foundation
standards issued by the
state; To help each
This enterprise could tolerate a
student achieve their
loss up to $20,000.
potential.

We would achieve our We would meet our

1. Acceptable
mission. objectives.
We would have to We would have to
reinvest or correct the reinvest or correct the
2. Unacceptable
situation to achieve our situation to achieve our
mission. objectives. If this enterprise
loses more than
We would not be able to $1,000,000,
We would not be able to they
3. Catastrophic could not recover.
achieve our mission. meet our objectives.

obligations that each asset type could cause? To make this simple, add values
Inherent Risk Criteria ('1' through '3') for "Enterprise" only and leave the indented rows below
"Enterprise" blank. If you wish to estimate risks for each Asset Class, you must
Operational Objectives
Asset Class Mission Impact
Impact
Enterprise 2 2
Devices 2 2
Applications 2 2
Data 2 2
Network 1 2
Users 2 2

Risk Register
 NIST CSF Security
CIS Safeguard # CIS Safeguard Title
Function

Maintain Detailed Asset

1.4 Identify
Inventory

Address Unauthorized
1.6 Respond
Assets

Maintain Inventory of
2.1 Identify
Authorized Software

Ensure Software is
2.2 Identify
Supported by Vendor

Address Unapproved
2.6 Respond
Software

Deploy Automated
3.4 Operating System Patch Protect
Management Tools

Deploy Automated
3.5 Software Patch Protect
Management Tools

Change Default
4.2 Protect
Passwords

Ensure the Use of

4.3 Dedicated Administrative Protect
Accounts

Establish Secure
5.1 Protect
Configurations
6.2 Activate Audit Logging Detect

Ensure Use of Only Fully

7.1 Supported Browsers and Protect
Email Clients

Use of DNS Filtering

7.7 Protect
Services
Ensure Anti-Malware
8.2 Software and Signatures Protect
Are Updated
 Configure Anti-Malware
8.4 Scanning of Removable Detect
Devices
Configure Devices to Not
8.5 Protect
Auto-Run Content

Apply Host-Based
9.4 Protect
Firewalls or Port-Filtering

Ensure Regular
10.1 Protect
Automated BackUps

Perform Complete System

10.2 Protect
Backups

10.4 Protect Backups Protect

Ensure All Backups Have

10.5 at Least One Offline Protect
Backup Destination

Install the Latest Stable

Version of Any Security-
11.4 Protect
Related Updates on All
Network Devices
Maintain an Inventory of
12.1 Identify
Network Boundaries

Deny Communication
12.4 Protect
Over Unauthorized Ports

Maintain an Inventory of
13.1 Identify
Sensitive Information

Remove Sensitive Data or

13.2 Systems Not Regularly Protect
Accessed by Organization

Encrypt Mobile Device

13.6 Protect
Data

Protect Information
14.6 Through Access Control Protect
Lists
 Leverage the Advanced
Encryption Standard
15.7 Protect
(AES) to Encrypt Wireless
Data

Create Separate Wireless

15.10 Network for Personal and Protect
Untrusted Devices

Disable Any Unassociated

16.8 Respond
Accounts
Disable Dormant
16.9 Respond
Accounts
Lock Workstation
16.11 Protect
Sessions After Inactivity

Implement a Security
17.3 N/A
Awareness Program

Train Workforce on
17.5 N/A
Secure Authentication
Train Workforce on
17.6 Identifying Social N/A
Engineering Attacks
Train Workforce on
17.7 N/A
Sensitive Data Handling

Train Workforce on
17.8 Causes of Unintentional N/A
Data Exposure

Train Workforce Members

17.9 on Identifying and N/A
Reporting Incidents

Document Incident
19.1 N/A
Response Procedures

Designate Management
19.3 Personnel to Support N/A
Incident Handling

Maintain Contact
19.5 Information For Reporting N/A
Security Incidents

Publish Information
Regarding Reporting
19.6 N/A
Computer Anomalies and
Incidents
 Financial Objectives Obligations

All data on this page is con

and not meant to reflect an
The high dollar limit for To prevent theft of
risk register. Only to be
each impact score. students’ identity
purpo
could tolerate a
000.

No harm would come to

$ 20,000.00
others.

The harm that would

$ 1,000,000.00 come to others would be
If this enterprise correctable.
loses more than
$1,000,000, they The harm that would
could not recover. come to others would not
be correctable.

se? To make this simple, add values

ave the indented rows below
risks for each Asset Class, you must

Obligations Impact The highest

obligations impact
3 score that an asset
2 could cause would be
3 '3'.
3
2 If the network in this enterprise were
3 compromised, the highest obligations
impact it could create would be '2'.

Risk Analysis
 Impact to
Safeguard Maturity Expectancy Impact to
Asset Class VCDB Index Operational
Score Score Mission
Objectives

Devices 3 1 2 2 2

Devices 3 1 2 2 2

Applications 2 2 2 2 2

Applications 4 2 1 2 2

Applications 1 2 3 2 2

Devices 4 1 1 2 2

Devices 1 1 2 2 2

Users 3 3 2 2 2

Users 4 3 2 2 2

Devices 5 1 1 2 2

Devices 2 1 2 2 2

Devices 2 1 2 2 2

Devices 1 1 2 2 2

Devices 2 1 2 2 2
Devices 4 1 1 2 2

Devices 3 1 2 2 2

Network 3 1 2 1 2

Data 3 3 2 2 2

Data 1 3 3 2 2

Data 1 3 3 2 2

Data 2 3 2 2 2

Network 4 1 1 1 2

Network 1 1 2 1 2

Network 1 1 2 1 2

Data 1 3 3 2 2

Data 1 3 3 2 2

Devices 2 1 2 2 2

Data 4 3 2 2 2
Network 3 1 2 1 2

Network 1 1 2 1 2

Users 2 3 2 2 2

Users 4 3 2 2 2

Devices 2 1 2 2 2

Users 5 3 1 2 2

Users 1 3 3 2 2

Users 2 3 2 2 2

Users 3 3 2 2 2

Users 4 3 2 2 2

Users 5 3 1 2 2

Enterprise 2 3 2 2 2

Enterprise 1 3 3 2 2

Enterprise 1 3 3 2 2

Enterprise 3 3 2 2 2
 page is considered sample data only,
to reflect an individual organization's
. Only to be used for demonstration
purposes.

Risk Register
 Impact to
Risk Score Risk Level Risk Treatment Option Risk Treatment Safeguard
Obligations

2 4 Reduce 1.4

2 4 Reduce 1.6

3 6 Reduce 2.1

3 3 Accept 2.2

3 9 Reduce 2.6

2 2 Accept 3.4

2 4 Reduce 3.5

3 6 Reduce 4.2

3 6 Reduce 4.3

2 2 Accept

2 4 Reduce 6.2

2 4 Reduce 7.1

2 4 Reduce 7.7

2 4 Reduce 8.2
2 2 Accept

2 4 Reduce 8.5

2 4 Reduce 9.4

3 6 Reduce 10.1

3 9 Reduce 10.2

3 9 Reduce 10.4

3 6 Reduce 10.5

2 2 Accept

2 4 Reduce 12.1

2 4 Reduce 12.4

3 9 Reduce 13.1

3 9 Reduce 13.2

2 4 Reduce 13.6

3 6 Accept
2 4 Reduce 15.7

2 4 Reduce 15.10

3 6 Reduce 16.8

3 6 Reduce 16.9

2 4 Reduce 16.11

3 3 Accept

3 9 Reduce 17.5

3 6 Reduce 17.6

3 6 Reduce 17.7

3 6 Reduce 17.8

3 3 Accept

3 6 Reduce 19.1

3 9 Reduce 19.3

3 9 Reduce 19.5

3 6 Reduce 19.6
 Risk Treatment
Safeguard Title
Maintain Detailed Asset Inventory
Address Unauthorized Assets
Maintain an up-to-date list of all authorized software that is
Maintain Inventory of Authorized Software required in the enterprise for any business purpose on any
business system.
Ensure Software is Supported by Vendor
Address Unapproved Software
Deploy Automated Operating System
Patch Management Tools
Deploy Automated Software Patch
Management Tools
Change Default Passwords
Ensure the Use of Dedicated
Administrative Accounts
Establish Secure Configurations
Activate Audit Logging
Ensure Use of Only Fully Supported
Browsers and Email Clients
Use of DNS Filtering Services
Ensure Anti-Malware Software and
Signatures Are Updated
Risk Treatment
Safeguard Description
The enterprise believes that
Maintain an accurate and up-to-date
implementinginventory of all technology
a network
assets with the potential to access
store orcontrol
process information.
device will This
inventory shall include all hardware assets, whether
address multiple risks. connected
to the organization's network or not.
Ensure that unauthorized assets are either removed from the
network, quarantined, or the inventory is updated in a timely
manner.
Ensure that only software applications or operating systems
currently supported by the software's vendor are added to the
organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory
system.
Ensure that unauthorized software is either removed or the
inventory is updated in a timely manner.
Deploy automated software update tools in order to ensure that
the operating systems are running the most recent security
updates provided by the software vendor.
Deploy automated software update tools in order to ensure that
third-party software on all systems is running the most recent
security updates provided by the software vendor.
Before deploying any new asset, change all default passwords to
have values consistent with administrative level accounts.
Ensure that all users with administrative account access use a
dedicated or secondary account for elevated activities. This
account should only be used for administrative activities and not
internet browsing, email, or similar activities.
Maintain documented, standard security configuration standards
for all authorized operating systems and software.
Ensure that local logging has been enabled on all systems and
networking devices.
Ensure that only fully supported web browsers and email clients
are allowed to execute in the organization, ideally only using the
latest version of the browsers and email clients provided by the
vendor.
Use DNS filtering services to help block access to known
malicious domains.
Ensure that the organization's anti-malware software updates its
scanning engine and signature database on a regular basis.
Configure Anti-Malware Scanning of
Removable Devices
Configure Devices to Not Auto-Run
Content
Apply Host-Based Firewalls or Port-
Filtering
Ensure Regular Automated BackUps
Perform Complete System Backups
Protect Backups
Ensure All Backups Have at Least One
Offline Backup Destination
Install the Latest Stable Version of Any
Security-Related Updates on All Network
Devices
Maintain an Inventory of Network
Boundaries
Deny Communication Over Unauthorized
Ports
Maintain an Inventory of Sensitive
Information
Remove Sensitive Data or Systems Not
Regularly Accessed by Organization
Encrypt Mobile Device Data
Protect Information Through Access
Control Lists
Configure devices so that they automatically conduct an anti-
malware scan of removable media when inserted or connected.
Configure devices to not auto-run content from removable
media.
Apply host-based firewalls or port filtering tools on end systems,
with a default-deny rule that drops all traffic except those
services and ports that are explicitly allowed.
Ensure that all system data is automatically backed up on a
regular basis.
Ensure that each of the organization's key systems are backed
up as a complete system, through processes such as imaging, to
enable the quick recovery of an entire system.
Ensure that backups are properly protected via physical security
or encryption when they are stored, as well as when they are
moved across the network. This includes remote backups and
cloud services.
Ensure that all backups have at least one backup destination
that is not continuously addressable through operating system
calls.
Install the latest stable version of any security-related updates on
all network devices.
Maintain an up-to-date inventory of all of the organization's
network boundaries.
Deny communication over unauthorized TCP or UDP ports or
application traffic to ensure that only authorized protocols are
allowed to cross the network boundary in or out of the network at
each of the organization's network boundaries.
Maintain an inventory of all sensitive information stored,
processed, or transmitted by the organization's technology
systems, including those located onsite or at a remote service
provider.
Remove sensitive data or systems not regularly accessed by the
organization from the network. These systems shall only be used
as stand alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or
completely virtualized and powered off until needed.
Utilize approved whole disk encryption software to encrypt the
hard drive of all mobile devices.
Protect all information stored on systems with file system,
network share, claims, application, or database specific access
control lists. These controls will enforce the principle that only
authorized individuals should have access to the information
based on their need to access the information as a part of their
responsibilities.
Leverage the Advanced Encryption Leverage the Advanced Encryption Standard (AES) to encrypt
Standard (AES) to Encrypt Wireless Data wireless data in transit.

Create Separate Wireless Network for Maintain an inventory of authorized wireless access points
Personal and Untrusted Devices connected to the wired network.

Disable any account that cannot be associated with a business

Disable Any Unassociated Accounts
process or business owner.
Automatically disable dormant accounts after a set period of
Disable Dormant Accounts
inactivity.
Automatically lock workstation sessions after a standard period
Lock Workstation Sessions After Inactivity
of inactivity.
Create a security awareness program for all workforce members
to complete on a regular basis to ensure they understand and
exhibit the necessary behaviors and skills to help ensure the
Implement a Security Awareness Program
security of the organization. The organization's security
awareness program should be communicated in a continuous
and engaging manner.
Train workforce members on the importance of enabling and
Train Workforce on Secure Authentication
utilizing secure authentication.
Train the workforce on how to identify different forms of social
Train Workforce on Identifying Social
engineering attacks, such as phishing, phone scams, and
Engineering Attacks
impersonation calls.
Train Workforce on Sensitive Data Train workforce on how to identify and properly store, transfer,
Handling archive, and destroy sensitive information.

Train workforce members to be aware of causes for unintentional

Train Workforce on Causes of
data exposures, such as losing their mobile devices or emailing
Unintentional Data Exposure
the wrong person due to autocomplete in email.

Train Workforce Members on Identifying Train employees to be able to identify the most common
and Reporting Incidents indicators of an incident and be able to report such an incident.

Ensure that there are written incident response plans that define
Document Incident Response Procedures roles of personnel as well as phases of incident
handling/management.
Designate management personnel, as well as backups, who will
Designate Management Personnel to
support the incident handling process by acting in key decision-
Support Incident Handling
making roles.
Assemble and maintain information on third-party contact
Maintain Contact Information For information to be used to report a security incident, such as Law
Reporting Security Incidents Enforcement, relevant government departments, vendors, and
ISAC partners.
Publish information for all workforce members, regarding
Publish Information Regarding Reporting reporting computer anomalies and incidents to the incident
Computer Anomalies and Incidents handling team. Such information should be included in routine
employee awareness activities.
Risk Treatment
 Risk Treatment Risk Treatment Risk Treatment
Our Planned
Safeguard Maturity Safeguard Expectancy Safeguard Impact
Implementation
Score Score to Mission

at

Implement a NAC. 4 1 2

Implement a NAC. 4 1 2

Use application
4 1 2
whitelisting.

Add unapproved software

4 1 2
to incident response plan.

Configure end-user
systems to automatically 4 1 2
apply patches from vendor.

Use PAM for all admin

4 2 2
accounts.

4 2 2

2 2 2

2 2 2

1 2 2

2 2 2
 2

3 2 2

3 2 1

3 2 2

1 3 2

1 3 2

2 2 2

1 2 1

1 2 1

1 3 2

1 3 2

2 2 2

2
3 2 1

1 2 1

2 2 2

4 2 2

2 2 2

1 3 2

2 2 2

3 2 2

4 2 2

2 2 2

1 3 2

1 3 2

3 2 2
 Risk Treatment
Risk Treatment Risk Treatment
Safeguard Impact Reasonable and Risk Treatment Implementati
Safeguard Impact Safeguard Risk
to Operational Acceptable Safeguard Cost on Quarter
to Obligations Score
Objectives

2 2 2 Yes Q2

2 2 2 Yes Q3

2 3 3 Yes Q4

2 3 Yes Q2

If the safeguard is implemented at maturity '4'

2 the safeguard3risk will still be too3high. Using, Yes Q1
auditing, and correcting PAM may not be
enough, in this case. The enterprise may
consider an automated approach to ensure
2 that PAM is consistently
2 enforced and Yes Q2
automatically improved over time.

2 2 2 Yes Q4

2 3 6 No $ 5,000 Q4

2 3 6 No

2 2 Yes

2 2 4 Yes

2 2 4 Yes

2 2 4 Yes

2 2 4 Yes
2 2 Yes

2 2 4 Yes

2 2 4 Yes

2 3 6 No

2 3 9 No

2 3 9 No

2 3 6 No

2 2 Yes

2 2 4 Yes

2 2 4 Yes

2 3 9 No

2 3 9 No

2 2 4 Yes

2 3 No
2 2 4 Yes

2 2 4 Yes

2 3 6 No

2 3 6 No

2 2 4 Yes

2 3 Yes

2 3 9 No

2 3 6 No

2 3 6 No

2 3 6 No

2 3 Yes

2 3 6 No

2 3 9 No

2 3 9 No

2 3 6 No
Reasonable Annual Cost
 Impact to
Implementatio
Financial Year Reasonable?
n Year
Objectives

2022 $ 5,000.00 2021 Yes

2022 $ - 2022 Yes

2022 $ - 2023 Yes

2022 $ - 2024 Yes

2023 $ - 2025 Yes

2023 $ - 2026 Yes

2021 $ - 2027 Yes

2021 $ - 2028 Yes

$ - 2029 Yes

$ - 2030 Yes
 CIS CSAT Pro
CIS CSAT Pro for CIS Controls v7.1

CSAT Pro Export CSAT Pro Score CIS RAM Maturity

v7.1 IG1 Safeguard #
Score (Stripped) Score Final
1.4 5 (81-100%) 5 5
1.6 3 (41-60%) 3 3
2.1 4 (61-80%) 4 4
2.2 3 (41-60%) 3 3
2.6 2 (21-40%) 2 2
3.4 4 (61-80%) 4 4
3.5 4 (61-80%) 4 4
4.2 2 (21-40%) 2 2
4.3 2 (21-40%) 2 2
5.1 5 (81-100%) 5 5
6.2 2 (21-40%) 2 2
7.1
7.7 Not Applicable N N
8.2
8.4 Not Available N N
8.5
9.4
10.1
10.2
10.4
10.5
11.4
12.1
12.4
13.1
13.2
13.6
14.6
15.7
15.10
16.8
16.9
16.11
17.3
17.5 5 (81-100%) 5 5
17.6
17.7
17.8
17.9
19.1 5 (81-100%) 5 5
19.3
19.5 3 (41-60%) 3 3
19.6
SAT Pro
CIS CSAT Pro for CIS Controls v8.0

CSAT Pro Export CSAT Pro Score CIS RAM Maturity

v8 IG1 Safeguard #
Score (Stripped) Score Final
1.1 5 (81-100%) 5 5
1.2 3 (41-60%) 3 3 All data on this
2.1 4 (61-80%) 4 4
2.2 3 (41-60%) 3 3 only, and not
2.3
3.1
2 (21-40%)
4 (61-80%)
2
4
2
4 organization's
3.2
3.3
4 (61-80%)
2 (21-40%)
4
2
4
2
used for
3.4 2 (21-40%) 2 2
3.5 5 (81-100%) 5 5
3.6 2 (21-40%) 2 2
4.1
4.2 Not Applicable N N
4.3
4.4 Not Available N N
4.5
4.6
4.7
5.1
5.2
5.3
5.4
6.1
6.2
6.3
6.4
6.5
7.1
7.2
7.3
7.4
8.1
8.2
8.3
9.1 5 (81-100%) 5 5
9.2
10.1
10.2
10.3
11.1 5 (81-100%) 5 5
11.2
11.3 3 (41-60%) 3 3
11.4 3 (41-60%) 3 3
12.1 2 (21-40%) 2 2
14.1 4 (61-80%) 4 4
14.2 4 (61-80%) 4 4
14.3 2 (21-40%) 2 2
14.4 2 (21-40%) 2 2
14.5 5 (81-100%) 5 5
14.6 4 (61-80%) 4 4
14.7 2 (21-40%) 2 2
14.8 2 (21-40%) 2 2
15.1 5 (81-100%) 5 5
17.1
17.2
17.3
All data on this page is considered sample data
only, and not meant to reflect an individual
organization's CSAT/RAM scoring. Only to be
used for demonstration purposes.
 CIS-Hosted CSAT
Policy Defined
Maturity Scores
1 No Policy
2 Informal Policy
3 Partially Written Policy
4 Written Policy
5 Approved Written Policy
Unknown - Unscored None
Unknown - N/A Not Applicable
Control Implemented
Not Implemented
Parts of Policy Implemented
Implemented on Some Systems
Implemented on Most Systems
Implemented on All Systems
None
Not Applicable

CIS-Hosted CSAT for

CIS-Hosted CSAT Values From XLSX Export
CIS Controls v7.1

v7.1 IG1 Safeguard # Policy Defined Control Implemented

1.4 Approved Written Policy Implemented on Most Systems

1.6 Partially Written Policy Implemented on Some Systems
2.1 Approved Written Policy Implemented on All Systems
2.2 Partially Written Policy Implemented on Some Systems
2.6 Informal Policy Parts of Policy Implemented
3.4 Partially Written Policy Implemented on Some Systems
3.5 Partially Written Policy Implemented on Some Systems
4.2 Partially Written Policy Implemented on All Systems
4.3 Approved Written Policy Implemented on All Systems
5.1 Approved Written Policy Implemented on Some Systems
6.2 Approved Written Policy Implemented on Most Systems
7.1 Partially Written Policy Implemented on Most Systems
7.7 Partially Written Policy Implemented on Most Systems
8.2 No Policy Not Implemented
8.4 No Policy Not Implemented
8.5 No Policy Not Implemented
9.4 Approved Written Policy Implemented on Most Systems
10.1 Written Policy Implemented on Most Systems
10.2 Partially Written Policy Implemented on Most Systems
10.4 Written Policy Implemented on All Systems
10.5 Written Policy Implemented on All Systems
11.4 Approved Written Policy Implemented on Most Systems
12.1 None None

12.4 None None

13.1 None None

13.2 None None

13.6 None None
14.6 Approved Written Policy Implemented on All Systems
15.7 Approved Written Policy Implemented on All Systems
15.10 Approved Written Policy Implemented on All Systems
16.8 None None

16.9 None None

16.11 Approved Written Policy Implemented on All Systems
17.3 Approved Written Policy Implemented on All Systems
17.5 None None

17.6 None None

17.7 None None

17.8 None None

17.9 None None

19.1 None None

19.3 Approved Written Policy Implemented on All Systems
19.5 None None

19.6 None None

 CIS-Hosted CSAT
Control Automated Control Reported
Maturity Scores
Not Automated Not Reported 1
Parts of Policy Automated Parts of Policy Reported 2
Automated on Some Systems Reported on Some Systems 3
Automated on Most Systems Reported on Most Systems 4
Automated on All Systems Reported on All Systems 5
Unknown -
None None
Unscored
Not Applicable Not Applicable Unknown - N/A

CSAT Values From XLSX Export Calculated Numerical Score

Control Automated Control Reported Policy Defined Control Implemented

Automated on All Systems Reported on Some Systems 5 4

Automated on Some Systems
Automated on All Systems
Automated on Most Systems
Parts of Policy Automated
Automated on Some Systems
Automated on Some Systems
Automated on Some Systems
Automated on All Systems
Automated on Most Systems
Automated on Most Systems
Automated on All Systems
Automated on Most Systems
Parts of Policy Automated
Parts of Policy Automated
Not Automated
Automated on Most Systems
Automated on All Systems
Automated on Most Systems
Automated on Most Systems
Automated on All Systems
Automated on All Systems
None
Reported on Most Systems
Reported on All Systems
Reported on All Systems
Reported on Some Systems
Reported on Most Systems
Reported on Some Systems
Reported on Most Systems
Reported on All Systems
Reported on All Systems
Reported on All Systems
Reported on Most Systems
Reported on Most Systems
Not Reported
Not Reported
Not Reported
Reported on Most Systems
Reported on Some Systems
Reported on All Systems
Reported on All Systems
Reported on All Systems
Reported on Most Systems
None Unknown - Unscored
3 3
5 5
3 3
2 2
3 3
3 3
3 5
5 5
5 3
5 4
3 4
3 4
1 1
1 1
1 1
5 4
4 4
3 4
4 5
4 5
5 4
Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

 None None Unknown - Unscored Unknown - Unscored
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

Automated on All Systems Not Applicable 5 5
None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

 CIS-Hosted CSAT

All data on this page is considered sample data only, and n

an individual organization's CSAT/RAM scoring. Only
demonstration purposes.

ulated Numerical Score

CIS RAM Maturity Score CIS RAM Maturity Score
Average Final
Control Automated Control Reported

5 3
3 4
5 5
4 5
2 3
3 4
3 3
3 4
5 5
4 5
4 5
5 4
4 4
2 1
2 1
1 1
4 4
5 3
4 5
4 5
5 5
5 4
Unknown -
Unknown - Unscored
Unscored
Unknown -
Unknown - Unscored
Unscored
Unknown -
Unknown - Unscored
Unscored
Unknown -
Unknown - Unscored
Unscored
4 4
3 3
5 5
4 4
2 2
3 3
3 3
4 4
5 5
4 4
5 5
4 4
4 4
1 1
1 1
1 1
4 4
4 4
4 4
5 5
5 5
5 5
#DIV/0! #DIV/0!
#DIV/0! #DIV/0!
#DIV/0! #DIV/0!
#DIV/0! #DIV/0!
 Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 Unknown - N/A 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
d CSAT

ata only, and not meant to reflect

scoring. Only to be used for
poses.

CIS-Hosted CSAT for CIS

CIS-Hosted CSAT Values From XLSX Export
Controls v8.0

v8 IG1 Safeguard # Policy Defined Control Implemented

1.1 Approved Written Policy Implemented on Most Systems

1.2 Partially Written Policy Implemented on Some Systems
2.1 Approved Written Policy Implemented on All Systems
2.2 Partially Written Policy Implemented on Some Systems
2.3 Informal Policy Parts of Policy Implemented
3.1 Partially Written Policy Implemented on Some Systems
3.2 Partially Written Policy Implemented on Some Systems
3.3 Partially Written Policy Implemented on All Systems
3.4 Approved Written Policy Implemented on All Systems
3.5 Approved Written Policy Implemented on Some Systems
3.6 Approved Written Policy Implemented on Most Systems
4.1 Partially Written Policy Implemented on Most Systems
4.2 Partially Written Policy Implemented on Most Systems
4.3 No Policy Not Implemented
4.4 No Policy Not Implemented
4.5 No Policy Not Implemented
4.6 Approved Written Policy Implemented on Most Systems
4.7 Written Policy Implemented on Most Systems
5.1 Partially Written Policy Implemented on Most Systems
5.2 Written Policy Implemented on All Systems
5.3 Written Policy Implemented on All Systems
5.4 Approved Written Policy Implemented on Most Systems
6.1 None None

6.2 None None

6.3 None None

6.4 None None

6.5 None None
7.1 Approved Written Policy Implemented on All Systems
7.2 Approved Written Policy Implemented on All Systems
7.3 Approved Written Policy Implemented on All Systems
7.4 None None

8.1 None None

8.2 Approved Written Policy Implemented on All Systems
8.3 Approved Written Policy Implemented on All Systems
9.1 None None

9.2 None None

10.1 None None

10.2 None None

10.3 None None

11.1 None None

11.2 Approved Written Policy Implemented on All Systems
11.3 None None

11.4 None None

12.1 No Policy Not Implemented
14.1 No Policy Not Implemented
14.2 Approved Written Policy Implemented on Most Systems
14.3 Written Policy Implemented on Most Systems
14.4 Partially Written Policy Implemented on Most Systems
14.5 Written Policy Implemented on All Systems
14.6 Written Policy Implemented on All Systems
14.7 Approved Written Policy Implemented on Most Systems
14.8 Partially Written Policy Implemented on Most Systems
15.1 Written Policy Implemented on All Systems
17.1 Written Policy Implemented on All Systems
17.2 No Policy Not Implemented
17.3 No Policy Not Implemented
CSAT Values From XLSX Export Calculated Numerical Score

Control Automated Control Reported Policy Defined Control Implemented

Automated on All Systems Reported on Some Systems 5 4

Automated on Some Systems Reported on Most Systems 3 3
Automated on All Systems Reported on All Systems 5 5
Automated on Most Systems Reported on All Systems 3 3
Parts of Policy Automated Reported on Some Systems 2 2
Automated on Some Systems Reported on Most Systems 3 3
Automated on Some Systems Reported on Some Systems 3 3
Automated on Some Systems Reported on Most Systems 3 5
Automated on All Systems Reported on All Systems 5 5
Automated on Most Systems Reported on All Systems 5 3
Automated on Most Systems Reported on All Systems 5 4
Automated on All Systems Reported on Most Systems 3 4
Automated on Most Systems Reported on Most Systems 3 4
Parts of Policy Automated Not Reported 1 1
Parts of Policy Automated Not Reported 1 1
Not Automated Not Reported 1 1
Automated on Most Systems Reported on Most Systems 5 4
Automated on All Systems Reported on Some Systems 4 4
Automated on Most Systems Reported on All Systems 3 4
Automated on Most Systems Reported on All Systems 4 5
Automated on All Systems Reported on All Systems 4 5
Automated on All Systems Reported on Most Systems 5 4
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
 Unknown -
None None Unknown - Unscored
Unscored
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Automated on All Systems Not Applicable 5 5
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Parts of Policy Automated Not Reported 1 1
Not Automated Not Reported 1 1
Automated on Most Systems Reported on Most Systems 5 4
Automated on All Systems Reported on Some Systems 4 4
Automated on Most Systems Reported on All Systems 3 4
Automated on Most Systems Reported on All Systems 4 5
Automated on All Systems Reported on All Systems 4 5
Automated on All Systems Reported on Most Systems 5 4
Automated on Most Systems Reported on All Systems 3 4
Automated on Most Systems Reported on All Systems 4 5
Automated on All Systems Reported on All Systems 4 5
Parts of Policy Automated Not Reported 1 1
Not Automated Not Reported 1 1
lculated Numerical Score
CIS RAM Maturity Score CIS RAM Maturity Score
Average Final
Control Automated Control Reported

5 3 4 4
3 4 3 3
5 5 5 5
4 5 4 4
2 3 2 2
3 4 3 3
3 3 3 3
3 4 4 4
5 5 5 5
4 5 4 4
4 5 5 5
5 4 4 4
4 4 4 4
2 1 1 1
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
 Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 Unknown - N/A 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
4 5 4 4
4 5 5 5
5 5 5 5
2 1 1 1
1 1 1 1