CIS CSAT Pro FAQ's


Product Name

CIS CSAT Pro (Controls Self Assessment Tool)

Product Version

All

Date

Mar 25, 2021



 

Problem

This is an FAQ for CIS CSAT Pro

How do I get started with CSAT Pro?

If you’re already a CIS SecureSuite Member, join the CSAT Pro WorkBench community. You can download the appropriate CSAT Pro installer (Windows or Unix) from the Files section of that community. If you’re not already a CIS SecureSuite Member, look into membership.

Where can I find more information on CIS CSAT Pro?

User documentation is available at https://csat-pro.docs.cisecurity.org/.  This includes a Deployment Guide for installation/setup, a User Guide describing how to use CSAT Pro, and a Change Log.

Where can I find information on CSAT Pro Releases?

Blogs describing previous CSAT Pro releases are available here

Is there a demo of CSAT Pro?

A recorded demo is available in the CIS WorkBench Support Center Webinars/Training section: Introducing CIS Controls Self Assessment Tool (CSAT Pro).  Please note that this recording describes v1.0.0.

Can we, as a State Department, create a master account, have our districts complete the CSAT, and access reports of their submissions?

Yes, CSAT allows you to create organization trees.  As an example, you could create a tree with a State Department of Education as your top-level organization, and then create sub-organizations for each of the school districts under that.  You would want to setup the users/organizations carefully to ensure that only the desired users (state level users) are able to view all of the assessments, while district level users are only able to access the assessment for their specific school district. 

While you could do this with either CSAT product, CSAT Pro has better functionality to support this – with CSAT Pro, you have greater control over user roles and their relationships to organizations/sub-organizations within the tool.

As part of the reporting, are there areas identified, such as ‘needed improvement areas’ or ‘actions needed’?

CSAT does provide color coding for the graphs on the Assessment Dashboard and some reports based on score range.  This can help you quickly identify which Controls are low (colored red), for instance, so that you can review those with low scores. 

But, CSAT won’t directly flag a Safeguard and say “Safeguard X.Y needs to be higher”.  CSAT allows users to enter their assessment info, lets them track that info over time, and provides an Assessment Dashboard/reports summarizing that assessment data. 

You would be able to use CSAT to see what the score for each Control and Safeguard is for that district, but your organization would need to make the decision of what is an acceptable level.  We recommend performing a risk assessment to help with such determinations.  We do provide industry averages, but those are only meant to be one point of reference, and shouldn’t be used to say “we’re higher than the industry average, so we’re fine”.

Could you send me the questions that are included in the CSAT and an example report?

In general, the questions are just the CIS Safeguards (previously known as CIS Sub-Controls) as listed in the CIS Controls documentation.  You can scope your assessments by Implementation Group (IG) or down to the individual Safeguard level.  For instance, if you only wanted to assess against IG1, you can select IG1 and all of the IG2/IG3 Safeguards would be marked as Not Applicable for that assessment.  Then, for each Safeguard in the assessment’s scope, users could enter a score for that Safeguard. 

CSAT Pro uses a Simple Scoring Method, where users enter a single Safeguard score (1 – 5) for each Safeguard. 

CIS-Hosted CSAT uses four scoring categories (Policy, Implementation, Automation, and Reporting), each rated on a 1 – 5 scale for its scoring; so, CIS-Hosted CSAT does allow for finer-grained scoring, but requires 4 times as many answers to complete.

For exportable reports, both CSATs currently produce:

  • Board Level Slides – PPT slides containing slides for the various charts/graphs on the Assessment Dashboard

  • Safeguard level spreadsheets – XLSX file (for CIS-Hosted CSAT) or CSV file (for CSAT Pro) containing info about each Safeguard including number, title, description, score, who it’s assigned to, who completed it, who validated it, and whether evidence files were uploaded for it.

Additionally, CIS-Hosted CSAT has a Control Level PDF export that shows the summary statistics for each of the Controls in the assessment.  CSAT Pro does not have this export yet (v1.7.0)


Copyright © 2020

Center for Internet Security®