Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Product Name

CIS CSAT - CIS Controls Self Assessment Tool

CIS CSAT Pro - SecureSuite CIS Controls Self Assessment Tool

CIS BIA - Ransomware Business Impact Analysis Tool

CIS NCSR - Nationwide Cybersecurity Review

CIS RAM - Risk Assessment Method

Product Version

All

Date

Problem

I have found multiple, manual, Self-Assessment tools from CIS, which should I take? Why would I choose one over the other?

Solution

The following Self-Assessment tools are available from CIS. With the exception of CIS-CSAT Pro, all of the following tools are available for free to members and non-members alike.

  1. CIS Controls Self Assessment Tool (CSAT / CIS-Hosted CSAT) is for enterprises that want to self-assess against the Critical Security Controls (CIS Controls) on a cadence determined by the enterprise.

  2. CIS Controls Self Assessment Tool Pro (CSAT Pro) is used by SecureSuite Members and is an “on-prem” version of the CIS-Hosted CSAT.

  • on site programming is stored locally by owner and not hosted in AWS [data confidentiality thing i link]

  • Pro uses a ‘simplified’ single question set for self-assessing against the 18 controls [153 safeguards in hosted, 4 separate sets - only 1 in pro] this is the simplified scoring method - link to that KB

  1. CIS-BIA Ransomware Business Impact Analysis Tool (BIA) is located “within” the CIS-Hosted CSAT and uses a quantitative method to assess enterprise risk against a ransomware attack on a cadence determined by the enterprise. BIA uses the FAIR methodology, which is scenario based. Our first scenario is ransomware. It takes output from a CSAT Implementation Group 1 (IG1) assessment as input into BIA.

  2. CIS RAM (Risk Assessment Method) is a qualitative risk analysis for your whole enterprise on a cadence determined by the enterprise. RAM helps enterprises justify investments for reasonable implementation of the CIS Controls. CIS RAM helps enterprises define acceptable level of risk, and to prioritize and implement the CIS Controls to manage that risk. CIS RAM can help enterprises demonstrate “due care”.  CSAT results can be exported by implementation group and import the results into the appropriate CIS RAM IG worksheet.

  3. CIS Nationwide Cybersecurity Review (NCSR) is a self-assessment survey available to Multi-State Information Sharing & Analysis Center (MS ISAC) members annually. It has a mapping to the CIS Controls and you can get an improvement plan based on the CIS Controls. The NCSR helps fill a federal requirement for reporting.

As part of a general cybersecurity program, performing more than one type of assessment may be necessary, such as combining the use of the CIS Controls tools to self-assess the enterprise's assets with the CIS Bia tool to self-assess the enterprise’s risk against a ransomware attack.

Keywords; self-assessment CSAT Pro CIS-Hosted BIA NCSR RAM

Content by Label

Copyright © 2020

Center for Internet Security®

Privacy Policy

  • No labels