Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS CSAT - CIS Controls Self Assessment Tool

CIS CSAT Pro - SecureSuite CIS Controls Self Assessment Tool

CIS BIA - Ransomware Business Impact Analysis Tool

CIS NCSR - Nationwide Cybersecurity Review

CIS RAM - Risk Assessment Method

Product Version

All

Date



Problem

Info

I have found multiple, manual, Self-Assessment tools from CIS, which should I take? Why would I choose one over the other?

Solution

Note

Using the descriptions below enterprises can decide which, or all, tools will work to best suit their cyber hygiene needs.

The following Self-Assessment tools are available from CIS. With the exception of CIS-CSAT Pro,all of the following tools are available for free to members and non-members alike.

  1. CIS Controls Self Assessment Tool Pro (CIS CSAT Pro) is the on-premises version of the tool and is available exclusively to CIS SecureSuite Members CSAT Pro offers a wide range of features and benefits including, but not limited to:

    1. Greater flexibility with organization trees for managing organizations, sub-organizations, and assessments while tracking multiple concurrent assessments in the same organization.

    2. Easily access your tasks, assessments, and organizations from a consolidated home page.

    3. Save time by using a simplified scoring method with a reduced number of questions.

    4. Stores data locally/ offline.

  2. CIS Controls Self Assessment Tool (CIS Hosted CSAT) is a web-based portal version of CSAT hosted by CIS. It is free to every organization for use in a non-commercial capacity to conduct an assessment of their organization's own implementation of the CIS Controls.

  3. CIS Ransomware Business Impact Analysis Tool(CIS BIA) is a free tool located “within” the CIS-Hosted CSAT [while true, confusing] anduses a quantitative method to assess enterprise risk against a ransomware attack on a cadence determined by the enterprise. BIA uses the FAIR methodology, which is scenario based. Our first scenario is ransomware. It takes output from a CSAT Implementation Group 1 (IG1) assessment as input into BIA.

  4. CIS Risk Assessment Method (CIS RAM) is a free, qualitative risk analysis for your whole enterprise on a cadence determined by the enterprise. RAM helps enterprises justify investments for reasonable implementation of the CIS Controls. CIS RAM helps enterprises define acceptable level of risk, and to prioritize and implement the CIS Controls to manage that risk. CIS RAM can help enterprises demonstrate “due care”.  CSAT results can be exported by implementation group and import the results into the appropriate CIS RAM IG worksheet.

  5. CIS Nationwide Cybersecurity Review (NCSR) is a self-assessment survey available for free to Multi-State Information Sharing & Analysis Center (MS ISAC) members annually. It has a mapping to the CIS Controls and you can get an improvement plan based on the CIS Controls. It is designed to measure gaps and capabilities of SLTT governments’ cybersecurity programs and is based on the National Institute of Standards and Technology Cybersecurity Framework. Additionally, the NCSR helps fill a federal requirement for reporting.

Tip

As part of a general cybersecurity program, performing more than one type of assessment may be necessary.

For example, using the CIS Controls Self Assessment Tool to self-assess the enterprise's data and assets in conjunction with the CIS Bia tool to self-assess the enterprise’s risk against a ransomware attack can help an enterprises understand the potential exposure of a cyber event.

Keywords; self-assessment CSAT Pro CIS-Hosted BIA NCSR RAM

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2023

Center for Internet Security®


Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

Created by

Amanda McGown w/ Robin Regnier

Reviewed by

Approved by

Remove by