Product Name
CIS CSAT (Controls Self Assessment Tool)
Product Version
All
Date
This is an FAQ for some CIS CSAT usability questions. |
That’s okay! It’s quite common for organizations not to be completely compliant with the recommendations found in the CIS Controls and this isn’t necessarily a devastating thing. Some controls may be unreasonable for your organization to deploy or you have compensating controls put in place. To help accommodate these nuanced issues, you have the option of identifying the Control as “not-applicable” which means the Control doesn’t count against you. In addition, there is an old adage that says, “You cannot manage what you cannot measure.” You may want to consider your first assessment as the starting point for your journey implementing the CIS Controls.
There are multiple things you can do with your CIS CSAT results. Some ways to get started:
· Export results to share with your team and management
· Schedule another assessment in the future for continuous evaluation
· Assign specific Safeguards, formally known as Sub-Controls, to different team members for follow-up
CIS CSAT results can also help prioritize your organization’s security spending. Watch your security posture grow by monitoring its progress through CIS CSAT and keep track of your progress implementing the Controls over time.
CIS CSAT includes the CIS Controls mappings to several external frameworks including NIST CSF, NIST SP800-53 and PCI DSS. In addition, you can create your own unique tags for each Sub-Control which can be filtered to help organizations manage all the complex moving pieces and stakeholders involved in a cybersecurity program.
Reach out to us for help anytime by submitting a support ticket at CIS Product Technical Support.
There is no approval process per se. You should have received an email with the subject "Activate your account" and the From Address is no-reply@cisecurity.org. Please check to see if the email was filtered by your spam tool.
We’ve built our platform to help enable auditing and evidence collection associated with implementing the CIS Controls. As such we allow organizations to either maintain one assessment and simply not validate the responses, or create a new assessment by using the dropdown menu at the top right of the main Assessment Dashboard. There, you can start a new blank assessment, create a new assessment using your current assessment data, or import a previously exported assessment.
The data is both encrypted in transit and at rest.
Only CIS system administrators have access to the platform as a whole. Users only have access to their own records and to anonymized averages by industry.
Once a control task is assigned you can update the assignee and date. Note that the assignee would also need to be validated before they are visible on the drop-down list.
Information on score calculations is available at: How are individual organization assessment and industry average scores calculated in CSAT?
|