CIS CSAT Usability FAQ's


Product Name

CIS CSAT (Controls Self Assessment Tool)

Product Version

All

Date

Mar 25, 2021



 

Problem

This is an FAQ for some CIS CSAT usability questions.

What if my CIS CSAT report is not 100% compliant?

That’s okay! It’s quite common for organizations not to be completely compliant with the recommendations found in the CIS Controls and this isn’t necessarily a devastating thing. Some controls may be unreasonable for your organization to deploy or you have compensating controls put in place. To help accommodate these nuanced issues, you have the option of identifying the Control as “not-applicable” which means the Control doesn’t count against you.  In addition, there is an old adage that says, “You cannot manage what you cannot measure.” You may want to consider your first assessment as the starting point for your journey implementing the CIS Controls.

I have run CIS CSAT and identified my areas of improvement. Now what?

There are multiple things you can do with your CIS CSAT results. Some ways to get started:

·         Export results to share with your team and management

·         Schedule another assessment in the future for continuous evaluation

·         Assign specific Safeguards, formally known as Sub-Controls, to different team members for follow-up

CIS CSAT results can also help prioritize your organization’s security spending. Watch your security posture grow by monitoring its progress through CIS CSAT and keep track of your progress implementing the Controls over time.

What frameworks is CIS CSAT cross-mapped to?

CIS CSAT includes the CIS Controls mappings to several external frameworks including NIST CSF, NIST SP800-53 and PCI DSS. In addition, you can create your own unique tags for each Sub-Control which can be filtered to help organizations manage all the complex moving pieces and stakeholders involved in a cybersecurity program.

How do I get support for CIS CSAT?

Reach out to us for help anytime by submitting a support ticket at CIS Product Technical Support.

I have not received confirmation that my registration was approved.

There is no approval process per se. You should have received an email with the subject "Activate your account" and the From Address is no-reply@cisecurity.org. Please check to see if the email was filtered by your spam tool.

I cannot see a way to edit a CIS Control once it is validated.

We’ve built our platform to help enable auditing and evidence collection associated with implementing the CIS Controls. As such we allow organizations to either maintain one assessment and simply not validate the responses, or create a new assessment by using the dropdown menu at the top right of the main Assessment Dashboard. There, you can start a new blank assessment, create a new assessment using your current assessment data, or import a previously exported assessment.

Is the assessment data encrypted in transit and at rest?

The data is both encrypted in transit and at rest.

Other than CIS system administrators assigned to the CSAT platform, what other users have access to data supplied to the system?

Only CIS system administrators have access to the platform as a whole. Users only have access to their own records and to anonymized averages by industry.

How can I change the “Assigned to” user and due date for each task?

Once a control task is assigned you can update the assignee and date. Note that the assignee would also need to be validated before they are visible on the drop-down list.

How is the Overall Score calculated?

Information on score calculations is available at: How are individual organization assessment and industry average scores calculated in CSAT?

Related Content


Copyright © 2020

Center for Internet Security®