Admin¶
Introduction¶
The Admin area of the CIS SecureSuite Platform allows CIS SecureSuite Platform System Admins to handle administrative tasks. If you need to change or implement anything related to the system or application, Admin has everything you need.
This guide covers:
- Users
- Organizations
- Email & Login Settings
- System Settings
- Industry Average
- Alerts
- Identity Provider (IdP)
Users¶
Manage your CIS SecureSuite Platform users.
Managing IdP Users
The CIS SecureSuite Platform limits management of users added through an IdP. CIS SecureSuite Platform System Admins can only change an IdP user’s system role and re-enable them. All other user information and settings must be updated directly through your IdP.
Actions¶
Info
Users cannot be deleted, only disabled.
Add User¶
1. Go to Admin. You will land on the Users tab immediately.
2. Select Add User.
3. Configure the user's general information:
- Username: Enter a unique username.
- First Name (Optional): Enter the user's first name.
- Last Name (Optional): Enter the user's last name.
- Email (Optional): Enter the user's work email.
4. Select a system role to define the user's permissions at the application level:
- Basic User: Has access to all areas of the CIS SecureSuite Platform except Admin. Cannot perform remote configuration assessments, bulk actions, and delete actions.
- System Admin: Has access to all areas of the CIS SecureSuite Platform. Can perform remote configuration assessments, bulk actions, and delete actions.
5. Configure account status:
- Disabled: Turn on to prevent logins to the account. Disabled users won't appear in some dropdowns (e.g., adding alert recipients).
6. Select Submit to create the user.
Edit User¶
1. Go to Admin. You will land on the Users tab immediately.
2. Select the Edit icon for the user you want to edit.
3. Select Add User.
4. Configure the user's general information:
- Username: Enter a unique username.
- First Name (Optional): Enter the user's first name.
- Last Name (Optional): Enter the user's last name.
- Email (Optional): Enter the user's work email.
5. Select a system role to define the user's permissions at the application level:
- Basic User: Has access to all areas of the CIS SecureSuite Platform except Admin. Cannot perform remote configuration assessments, bulk actions, and delete actions.
- System Admin: Has access to all areas of the CIS SecureSuite Platform. Can perform remote configuration assessments, bulk actions, and delete actions.
6. Configure account status:
- Disabled: Enable to prevent logins to the account. Disabled users will not appear in some dropdowns (e.g., adding alert recipients).
- Locked: Disable to unlock the user. Users are locked when they reach the maximum login failures allowed for your CIS SecureSuite Platform instance. Locked users may change their password to log in.
- Reset Password: Enable to force the user to reset their password.
- New Password (required with password reset): Enter a new password for the user.
7. Select Submit to finish.
Reset MFA¶
Info
This action is not available for IdP users as their MFA must be managed through your organization's IdP. For non-IdP users who have not set up their MFA, this action will be disabled and greyed out.
In case of a lost, stolen, or decommissioned device, you can reset a user's MFA.
1. Go to Admin. You will land on the Users tab immediately.
2. Select the Edit icon for the user you want to edit.
3. Select Reset MFA.
When the user logs in, they will be prompted to set up their mobile authenticator.
Reset Password¶
Info
This action is not available for IdP users as their password must be managed through your organization's IdP.
1. Go to Admin. You will land on the Users tab immediately.
2. Select the Edit icon for the user you want to edit.
3. Select the Reset Password checkbox and then Submit.
The user will need to create a new password the next time they log in.
Disable User¶
Apart from disabling users while creating or editing them, you can also disable a user directly from the Users page.
1. Go to Admin. You will land on the Users tab immediately.
2. Select the Disable User icon .
3. Select Disable User to confirm.
Re-Enable Users
To re-enable a user, edit the user and uncheck the Disabled field.
Organizations¶
Manage organizations and their users.
Note
Organizations apply only to the Controls side of the CIS SecureSuite Platform.
Actions¶
Create Organizations¶
1. Go to Admin > Organizations.
2. Select Create New.
3. Configure the organization as follows:
- Parent Org (Optional): Select a parent organization for the new organization. The new organization will be a sub-organization of its parent organization.
- Organization Name: Enter the organization's name. The name must be unique within the CIS SecureSuite Platform instance and is limited to the following characters: letters, numbers, hyphen, dot, ampersand, and comma.
- Website: Enter the organization's complete URL (e.g., https://www.example.com)
- Industry: Select the organization's industry.
- Organization Logo: Select Browse and choose a JPG, JPEG, PNG, or BMP file at or under 500KB.
Where will the organization logo appear?
Uploaded organization logos will display in that organization’s Organization Info page, on the first slide of board-level slides for its assessments, and on its block in the org. chart.
4. (Optional) Add users to the organization and configure their organization roles:
A. Select users to add to the organization.
B. Select the organization roles for the users.
C. Select to include the user in the organization's sub-orgs.
5. Select Submit to create the organization.
Info
The user who creates the organization will automatically be added to its Organization Admin role. The System Admin role alone doesn't allow you to create sub-organizations within top-level or parent organizations. You must have the Organization Admin role for each organization in which you want to create sub-organizations.
Edit Organizations¶
1. Go to Admin > Organizations.
2. Select the Edit icon for the target organization.
3. Edit the organization as desired:
- Parent Org (Optional): Select a new parent organization or select None to remove the parent organization.
- Organization Name: Enter the organization's name. It must be unique within the CIS SecureSuite Platform instance.
- Website: Enter the organization's complete URL (e.g., https://www.example.com)
- Industry: Select the organization's industry.
- Organization Logo (Optional): Select Browse and choose a JPG, JPEG, PNG, or BMP file at or under 500KB.
4. (Optional) Add users to the organization and configure their organization roles:
A. Select user to add to the organization.
B. Select the organization role for the users.
C. Select to include the user in the organization's sub-orgs.
5. (Optional) Remove users from the organization and unassign/reassign their tasks:
A. For the user, select x.
B. Select one of the assignment options:
- Unassign Tasks
- Reassign Tasks and then select a user
C. Select Remove to return to editing the organization.
6. Select Submit to finish editing.
Delete Organizations¶
Deleting organizations is permanent. You will have to recreate and reconfigure deleted organizations.
1. Go to Admin > Organizations.
2. Select the Delete icon for the target organization.
3. Select Delete Organization to confirm.
Email & Login Settings¶
Configure email, MFA, password, and login settings.
Actions¶
- Configure Email Settings
- Enable Multi-Factor Authentication
- Configure Password Settings
- Configure Password Composition
- Configure Login Settings
Configure Email Settings¶
Set up an email server to send password resets, MFA setup, and alert notifications. You'll need to use your proxy server credentials when editing your email settings.
Info
Users will not be able to reset their passwords until you set up your email server.
1. Go to Admin > Email & Login Settings.
2. Select Edit Email Settings.
3. Complete the fields with your proxy server credentials:
- Host: Enter the SMTP server hostname used for sending emails (i.e., FQDN or IP address of the STMP email server).
- Username: Enter the username to connect to the email server.
- Password: Enter the password to connect to the email server.
- Port: Enter the SMTP server port number (default is 587 and SMTPS is 465).
- Default Email Sender: Enter the email address that will be used to send CIS SecureSuite Platform emails.
- Email Display Name: (Optional) Enter a user-friendly name to display as the "From" address in emails.
- Encryption (Optional)
- Enable SSL: (For SMTPS/port 465 only) Select the checkbox to enable encryption with the SSL (Secure Sockets Layer) protocol.
- Enable StartTLS: (For standard ports like 587) Select the checkbox to enable encryption with StartTLS.
4. Select Save Changes when finished.
5. Select Send Test Email to confirm your email server is operational.
Enable Multi-Factor Authentication (MFA)¶
Info
This feature is for non-IdP users only. If your organization has connected an external IdP to its CIS SecureSuite Platform instance, configure MFA through your IdP.
Enable MFA to enhance security by requiring users to enter a one-time passcode sent to their mobile device as an additional step of the login process.
1. Go to Admin > Email & Login Settings.
2. From the MFA dropdown, select Required to enable the feature for all non-IdP SecureSuite Platform users.
Once this feature is enable, all non-IdP users will need to set up their mobile authenticator during login. Users can utilize their preferred mobile authenticator. CIS has tested MFA with Duo, FreeOTP, Google Authenticator, Microsoft Authenticator, and Okta Verify.
Configure Password Settings¶
Configure password settings such as minimum and maximum password length, expiration, and more. The default values align with the recommendations covered in the CIS Password Policy Guide, but you can configure the values based on your organization's policies. Changed password settings are enforced only on passwords that are created after the changes have been made. Existing passwords that do not meet the new requirements can still be used until they expire or are reset.
1. Go to Admin > Email & Login Settings and scroll down to Password Settings.
2. Enter a number in the settings you want to change.
| Setting | Description |
|---|---|
| Minimum Password Length | Minimum password length allowed. Absolute minimum: 8 characters. |
| Maximum Password Length | Maximum password length allowed. - Turn on Maximum Enforced to enable this setting. |
| Password Banning | Ban passwords prior to the current one. E.g., 2 would ban the previous password and the one before that. |
| Minimum Time Between Changes | Hours that need to pass before a password can be changed again. |
| Password Expiration | Days until passwords expire. - Turn on Expiration enforced if you want passwords to expire. |
Establishing a Strong Password Policy
Refer to the CIS Password Policy Guide for specific and detailed guidance on establishing a strong password policy.
On Minimum Time Between Changes
CIS SecureSuite Platform System Admins can change passwords anytime, regardless of the value in this field. Additionally, users who try to change their password before the specified time has elapsed are not informed how long it will be until they can change their password.
Configure Password Composition¶
Define the minimum number required of each character type in all CIS SecureSuite Platform passwords. Existing passwords that do not meet these requirements will be allowed to remain in use, but passwords must meet the current requirements when they are created or reset.
1. Go to Admin > Email & Login Settings and scroll down to Password Composition.
2. Enter a number for the character type.
| Character Type | Description |
|---|---|
| Special Characters | Minimum required special characters. |
| Digits | Minimum required digits. |
| Upper Case | Minimum required upper case letters. |
| Lower Case | Minimum required lower case letters. |
Configure Login Settings¶
Set limits for login failures, lockouts, and wait times.
1. Go to Admin > Email & Login Settings and scroll down to Login Settings.
2. Enter a number for the setting you want to change.
| Setting | Description |
|---|---|
| Maximum Login Failures | The number of consecutive failed login attempts before a lockout occurs. We recommend a lockout after five failed attempts. |
| Maximum Temporary Lockouts | The number of temporary lockouts until an account is permanently locked. |
| Wait Increment | The increment in minutes that users must wait until a temporary lockout ends. Each time a temporary lockout occurs, this increment will multiply until the maximum wait increment is reached. |
| Failure Reset Time | The hours until the login failures reset. |
| Maximum Wait Increment | The maximum wait time that is enforced when a temporary lockout occurs. It must be a multiple of the Wait Increment value. |
| Session Lock When Idle | Time in minutes until an idle user is automatically logged out |
System Settings¶
Set the default identifier for target systems, Benchmark assessment score thresholds, file limits, and more.
Note
System settings apply only to the Benchmarks side of the CIS SecureSuite Platform.
Actions¶
- Set Primary Target System ID Type
- Enable Display DB name in Primary
- Set Score Thresholds for Benchmark Assessments
- Set Score Difference Alert Thresholds
- Set File Limit for Processed Directory
- Schedule Bulk Delete of Benchmark Assessments
- Set Default Controls Version
Set Primary Target System ID Type¶
Set the default identifier for displaying target systems in lists and search results. This identifier applies across the application.
1. Go to Admin > System Settings.
2. From the Primary Target System ID Type dropdown, select your default identifier.
| Identifier | Description |
|---|---|
| Hostname (default) | The unique name that identifies a device connected to a network. |
| FQDN | The complete domain name for a specific computer, or host, on the internet. |
| Serial Number | The unique identifier assigned to a specific product by the manufacturer. |
| Ipv4 Address | The 32-bit alphanumeric label that identifies an endpoint device (e.g., 192.0.2.146). |
| Ipv6 Address | The 128-bit alphanumeric label that identifies an endpoint device (e.g., 2001:db8:3333:4444:5555:6666:7777:8888:). |
| MAC Address | A 12-digit hexadecimal number assigned to each device connected to a network (e.g., 2C:54:91:88:C9:E3). |
Enable Display DB Name in Primary¶
1. Go to Admin > System Settings.
2. Turn on Display DB Name in Primary to prefix database names with the default target system identifier.
Set Score Thresholds for Benchmark Assessments¶
Set score thresholds for Benchmark assessments. These thresholds help you and your organization define how secure your configuration is.
Set Score Thresholds¶
1. Go to Admin > System Settings and scroll down to Benchmark Assessments.
2. Enter a value (0-100) or drag the circle on the score bar left or right.
| Threshold | Function |
|---|---|
| Low Score Alert Threshold | Sends an Inbox alert to designated recipients when an imported assessment report has a score below this threshold. |
| High Configuration Score Threshold | Displays assessments scored above this threshold in green. |
| Medium Configuration Score Threshold | Displays assessments scored between this threshold and the high threshold in yellow. |
| Low Configuration Score Threshold | Displays assessments scored between this threshold and the medium threshold in orange. Assessments scored below this threshold display in red. |
Set Score Difference Alert Threshold¶
When an assessment drops by more than the set point value from the previous import, the Test Result Diff alert is sent out to all designated recipients.
1. Go to Admin > System Settings and scroll down to Benchmark Assessments.
2. Enter the point threshold (0-100) to send out the alert.
Score Threshold Default
The threshold is set to zero by default, so the alert will be sent if the score goes down by any amount.
Set File Limit for Processed Directory¶
Define the maximum number of configuration assessment results that will be retained in C:\...\SecureSuite\securesuite_imports\processed after each new upload. The average size of an imported configuration assessment result is about 12 MB. We recommend storing no more than 10,000 reports (about 120 GB of storage space) for optimal performance.
1. Go to Admin > System Settings and scroll down to Directories.
2. Enter the maximum number of files to retain in the directory.
Note
All configuration assessment results, regardless of this file limit, will still be available within the CIS SecureSuite Platform.
Schedule Bulk Delete of Benchmark Assessments¶
Deleting an assessment flags it for removal at the daily scheduled time. We recommend setting this time outside regular business hours to reduce potential business impacts.
1. Go to Admin > System Settings and scroll down to Bulk Delete Benchmark (Configuration) Assessments.
2. Enable Remove Deleted Assessments.
3. Select Delete Assessment Start Time and use the arrows to set the time by the hour.
4. Select Delete Assessment End Time and use the arrows to set the time by the hour.
Set Default Controls Version¶
Controls versions have different recommendations. Determine the default Controls version to view in Benchmark Assessment results.
1. Go to Admin > System Settings and scroll down to Controls Version.
2. From Default Controls Version, select a Controls version.
Industry Average¶
Opt in to or out of the Industry Average Service.
What is the Industry Average Service?
The Industry Average Service shows the average Controls assessment results for your organization's industry across your CIS SecureSuite Platform instance. Controls v8.1 data is available and handled in the same way as v8.0 data. Industry data is automatically updated daily.
By default, the Industry Average Service is disabled. Enabling this service means that you will share anonymous assessment scoring data with us over a TLS v1.3 connection.
The more data we have, the more useful and representative our industry average data sets can be. You can opt out of sharing your data at any time. The industry average subscription feed will terminate, however.
Actions¶
Enable Service¶
- Toggle on/off Service Status.
Test connection¶
- Select Send Test to verify you are connected to the Industry Average Service.
Alerts¶
View alerts and assign alert recipients.
| Alert | Trigger Condition |
|---|---|
| An Exception has been end dated | When an exception has reached its end date and will no longer be applied. |
| Approve or Reject Exception Request | When an exception has been requested for approval. |
| Exception Request Approved | When an exception request has been approved. |
| Exception Request Rejected | When an exception request has been rejected. |
| Low Score on Test Result was imported | When an imported Benchmark assessment scores below your minimum Low Score Alert Threshold. |
| Target System Deleted | When a target system has been deleted. |
| Test Result import failed | When a Benchmark assessment fails to be imported. |
| The score of the imported Test Result went down compared to the previous score | When an imported Benchmark assessment result score is lower than its previous score. |
Alert Types¶
The alert type depends on the purpose of the alert. Refer to the table for details on different alert types.
| Type | Description |
|---|---|
| Task | A set of actions that you need to perform to close it. Assigned Tasks appear in the Assigned Tasks tab. |
| Alert | A system event directly related to you, such as the completion of an upload you initiated. |
| Event | An occurrence in the system. |
Actions¶
Edit Alert Recipient List¶
1. Go to Admin > Alerts.
2. Select the Edit icon for the target alert.
A window will open to edit the alert:
Add Recipients¶
1. With the Edit Alert window open, add recipients by user or role:
- Add Users: Enter a name or select from the list of available users.
- Add Roles: Select a role to add all users with that role.
Duplicate Alerts
A user will only receive one instance of an alert, even if they are included in the recipient list individually or by multiple roles.
2. Select Submit to finish.
Opt Out Recipients¶
If you want to add recipients in bulk through roles but do not want all of them to receive the alert, you can opt out recipients.
1. With the Edit Alert window open, select the Opt Out checkbox for the user or role.
2. Select Submit to finish.
Remove Recipients¶
1. With the Edit Alert window open, select x to remove the user or role.
2. Select Submit to finish.
Identity Provider (IdP)¶
Connect with an IdP to manage users externally and handle login.
User Management
When the CIS SecureSuite Platform is connected to an external IdP, user management and MFA must be managed primarily in your external IdP. You can connect to only one IdP at a time.
Username Attribute
When an IdP user first logs in to the CIS SecureSuite Platform, the user is automatically configured with the Basic User role. The username of the created user is the same as the username attribute sent by the IdP. Ensure the username attribute is correctly configured in the IdP’s attribute mapping.
Actions¶
Connect with SAML¶
The CIS SecureSuite Platform supports SSO through SAML providers. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties.
When SAML is connected, local users with the same username as a SAML user will convert to SAML users when they log in to the CIS SecureSuite Platform. These users will have the first name, last name, and email of the SAML user and the roles of the local user.
Before you Start¶
- Create a SAML application with your IdP:
- If you want to auto-populate most of the fields in the CIS SecureSuite Platform, save the SAML metadata XML file or copy the SAML metadata URL from your IdP.
- If you want to manually fill the fields in the SecureSuite Platform, copy the values from your IdP and paste them to fields in the CIS SecureSuite Platform.
Set up SAML SSO¶
1. Go to Admin > IdP.
2. From External Identity Provider, select SAML.
3. In Display Name, enter a descriptive, user-friendly display name for your SAML IdP. Users will see this name on the IdP's login tile on the CIS SecureSuite Platform login screen.
4. Either auto-populate or manually fill the rest of the fields.
Select one of SAML Metadata options and configure accordingly:
- SAML Metadata File: Select Choose File and upload the metadata XML file exported from your IdP.
- SAML Entity Descriptor URL: Enter your IdP's metadata URL and select Fetch.
The remaining fields will be auto-populated with the metadata content.
Enter values for the following fields:
| Field | Description |
|---|---|
| IdP Entity ID (Optional) | The unique identifier of the IdP. |
| SSO Service URL | The login page that users use to access the CIS SecureSuite Platform through SSO. |
| SAML Signing Certificate | The digital certificate to verify the authenticity of data exchanged between your SAML IdP and the CIS SecureSuite Platform. |
Blank IdP Entity ID
SSO can function properly when the IdP Entity ID field is blank, given that this field's value, blank or filled, matches in Keycloak and your external IdP.
5. Select Submit to finish.
If the information provided is correct, you will see a message confirming that SAML has been configured successfully.
Connect with LDAP¶
The CIS SecureSuite Platform supports sign in with LDAP providers. Lightweight Directory Access Protocol (LDAP) allows the CIS SecureSuite Platform to find and access user information stored in a centralized directory.
When LDAP is connected, local users with the same username as an LDAP user will immediately convert to LDAP users with the first name, last name, and email of the LDAP user and the roles of the local user.
Set up LDAP¶
1. Go to Admin > IdP.
2. From External Identity Provider, select LDAP.
3. Enter values for the fields:
Note
The attribute values below may be different than yours. Double-check your Active Directory (AD) to ensure you enter the correct values.
| Field | Description | Value |
|---|---|---|
| Connection URL | The URL connection to the Active Directory server. | ldap://<IP_or_server_name>:<ldap_port>OR ldaps://<IP_or_server_name>:<ldap_port> |
| Bind DN | The Distinguished Name (DN) of the user connecting to the LDAP server (administrator, usually). | CN=Administrator,CN=Users,DC=<your_domain>,DC=<your_top_level_domain> |
| Bind Credentials | The password for the Bind DN user. | |
| Users DN | The LDAP path under which users can be found in your AD. | CN=Users,DC=<your_domain>,DC=<your_top_level_domain> |
| Username LDAP Attribute | The attribute in your AD that identifies usernames. | sAMAccountName |
| First Name LDAP Attribute | The attribute in your AD that identifies first names. | givenName |
| Last Name LDAP Attribute | The attribute in your AD that identifies last names. | sn |
| Email LDAP Attribute | The attribute in your AD that identifies emails. | |
| RDN LDAP Attribute | The attribute in your AD to use as the RDN (top attribute) of the typical user DN. | sAMAccountName |
| UUID LDAP Attribute | The attribute in your AD that will be used as the unique object identifier. | objectGUID |
| User Object Classes | The attribute that defines the type of an object and the set of attributes it can have. | person, organizationalPerson, user |
4. (Optional) Select the Periodic full sync checkbox to enable this setting and enter the desired time (in seconds) between syncs of all LDAP users.
5. (Optional) Select the Changed users sync period to enable this setting and enter a time (in seconds) between syncs of changes made to LDAP users.
Note
Enabling these settings is optional but recommended as user’s profile information stored in AD should be regularly updated in Keycloak. Both settings have a max value of 86400 seconds (24 hours).
6. Select Submit when finished.
If the information provided is correct, you will see a message confirming that LDAP has been configured successfully. Users imported from AD do not show on the Users page until they log in and are federated through the configured LDAP provider.
Remove IdP¶
1. Go to Admin > IdP.
2. From External Identity Provider, select None and then Submit.
3. Select Clear to confirm the removal of the IdP from the CIS SecureSuite Platform.
Note
After removing an IdP from the CIS SecureSuite Platform, your IdP users are automatically converted to local users. These users will retain their user information (name, email, etc.) but will need to reset their passwords when they next attempt to log in to the CIS SecureSuite Platform.