Versions Compared

Version Old Version 1 New Version 2
Changes made by

Amanda McGown

Amanda McGown

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS CSAT - CIS Controls Self Assessment Tool

CIS CSAT Pro - SecureSuite CIS Controls Self Assessment Tool

CIS BIA - Ransomware Business Impact Analysis Tool

CIS NCSR - Nationwide Cybersecurity Review

CIS RAM - Risk Assessment Method

Product Version

All

Date

Problem

Info

I have found multiple, manual, Self-Assessment tools from CIS, which should I take? Why would I choose one over the other?

Solution

The following Self-Assessment tools are available from CIS. With the exception of CIS-CSAT Pro,all of the following tools are available for free to members and non-members alike. [verify validity]

  1. CIS Controls Self Assessment Tool(CSAT / CIS-Hosted CSAT) is for enterprises that want to self-assess against the Critical Security Controls (CIS Controls) on a cadence determined by the enterprise.

  2. CIS Controls Self Assessment Tool Pro (CSAT Pro) is used by SecureSuite Members and is an “on-prem” version of the CIS-Hosted CSAT.

  • on site programming is stored locally by owner and not hosted in AWS [data confidentiality thing i link]

  • Pro uses a ‘simplified’ single question set for self-assessing against the 18 controls [153 safeguards in hosted, 4 separate sets - only 1 in pro] this is the simplified scoring method - link to that KB

  1. CIS-BIA Ransomware Business Impact Analysis Tool (BIA) is located within “within” the CIS-Hosted CSAT and [verify validity]uses a quantitative method to assess enterprise risk against a ransomware attack on a cadence determined by the enterprise. BIA uses the FAIR methodology, which is scenario based. Our first scenario is ransomware. It takes output from a CSAT Implementation Group 1 (IG1) assessment as input into BIA.

  2. CIS RAM (Risk Assessment Method) is a qualitative risk analysis for your whole enterprise on a cadence determined by the enterprise. RAM helps enterprises justify investments for reasonable implementation of the CIS Controls. CIS RAM helps enterprises define acceptable level of risk, and to prioritize and implement the CIS Controls to manage that risk. CIS RAM can help enterprises demonstrate “due care”.  CSAT results can be exported by implementation group and import the results into the appropriate CIS RAM IG worksheet.

  3. CIS Nationwide Cybersecurity Review (NCSR) is a self-assessment survey available to Multi-State Information Sharing & Analysis Center (MS ISAC) members annually. It has a mapping to the CIS Controls and you can get an improvement plan based on the CIS Controls. The NCSR helps fill a federal requirement for reporting.

Note

As part of a general cybersecurity program, performing more than one type of assessment may be necessary, such as combining the use of the CIS Controls tools to self-assess the enterprise's assets with the CIS Bia tool to self-assess the enterprise’s risk against a ransomware attack.

Keywords; self-assessment CSAT Pro CIS-Hosted BIA NCSR RAM

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2020

Center for Internet Security®

Privacy Policy

Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

Created by

Amanda McGown w/ Robin Regnier

Reviewed by

Approved by

Remove by