How are CIS CSAT scoring categories defined?


Product Name

CIS CSAT (Controls Self Assessment Tool)

Product Version

All

Date

Apr 27, 2022



 

Problem

Are there any definitions or detailed explanations for the CIS CSAT questions. For example “Control Reported”. Is this just stating a report is run validating the control?

 

Solution

An organization can use the 4 scoring categories for whatever makes the most sense for your organization. 

In general, these categories refer to:

  1. Policy Defined – to what degree is this Sub-Control covered by your organization’s policies?

  2. Control Implemented – to what degree has your organization implemented this Sub-Control?  This can factor in coverage (such as what percentage of the machines in your organization have this Sub-Control implemented) and/or level of implementation (for instance, all machines in your organization could have the Sub-Control partially implemented).

  3. Control Automated – to what degree does your organization enforce this Sub-Control through automated means vs. manual/procedural means?

  4. Control Reported – to what degree is the state of this Sub-Control being reported within your organization, generally to leadership or management?  Are updates on the state of that Sub-Control's implementation getting to where they need to go (to the decision makers who can act on them, to those who can decide if the organization needs to invest more to improve that Sub-Control's implementation in order to reduce risk, to meet any reporting requirements the organization has including requirements from organizational policies or from regulatory requirements, etc.)?

 

keywords; csat scoring reported implemented


Copyright © 2020

Center for Internet Security®