Controls¶
Introduction¶
The Controls area of the CIS SecureSuite Platform is where organizations can conduct self-assessments of their implementation of the CIS Critical Security Controls (CIS Controls).
What are the CIS Controls?
The CIS Controls are a general set of recommended practices for securing a wide range of systems and devices.
This guide covers:
- Getting Started with Controls Assessments
- Controls Console
- Organizations
- CIS Controls
- Controls Versions
Get Started with Controls Assessments¶
To give you a general sense of how the different modules connect, here is how you would perform a Controls assessment with a new instance of the CIS SecureSuite Platform:
1. In Admin, a System Admin creates a top-level organization and adds users.
2. An Organization Admin starts a new assessment or imports an assessment.
3. In the Safeguard View of the assessment, Organization Admins and Full Users assigns tasks.
4. Organization users set scores and complete their assigned tasks in the Safeguard View.
5. Assignor validates tasks in the Safeguard View.
Tip
Workflow actions can be performed in bulk on the Assessment Summary Tab.
6. When all tasks are validated, users can export the finished assessment to share results with others.
Controls Console¶
The Controls Console provides an overview of your organizations and assessments, as well as assessment templates.
The Controls Console has three sections:
My Organizations¶
My Organizations contains all the organizations you are a member of. From here, you can start Controls assessments or view your organizations in greater detail.
Actions Available by Role¶
| Action | Org. Admin | Full User | Basic User | System Admin |
|---|---|---|---|---|
| Start New Assessment | X | |||
| Import Assessment | X | |||
| Go to Organization Info page | X | X | X | |
| Manage Organizations | X | X |
Start New Assessment¶
Organization Admins can start new Controls assessments.
1. Go to Controls Console.
2. Under My Organizations, select the Start a New Assessment icon .
3. Configure the assessment as follows:
- Due Date: Set a due date for the assessment to be completed.
- Name: Enter a descriptive, user-friendly name for the assessment. The name cannot include special characters.
- Assessment Template: Select CIS Controls v7.1 or v8.1. Refer to Controls Versions to help you decide which version to use.
- Implementation Group: Select IG-1, IG-1 & IG-2, or IG-1, IG-2, & IG-3.
4. Select Create.
You will go to the assessment automatically once it has been created.
Import Assessment¶
Organization Admins can import assessments an assessment spreadsheet exported from hosted CSAT, CSAT Pro, or another CIS SecureSuite Platform instance.
Note
The user associated with the imported file must be a CIS SecureSuite Platform user for the "Validation" and "Completion" statuses to be included in the assessment import.
1. Go to Controls Console.
2. Under My Organizations, select the Import Assessment icon .
3. Configure as follows:
- Due Date: Set a due date for the assessment to be completed.
- Source: Select CSAT Pro CSV or Hosted CSAT XLS depending on the export source.
- Assessment to Import: Select Choose File to choose the file to be imported.
- Assessment Name: Enter a name for the assessment.
- Assessment Template: Select CIS Controls v7.1 or v8.1. Refer to Controls Versions to help you decide which version to use.
- Implementation Group: Select IG-1, IG-1 & IG-2, or IG-1, IG-2, & IG-3.
4. Select Import.
Following the import process, a detailed log indicating import successes and warnings is generated and displayed. This import log is available in the assessment’s Event Log.
Go to Organization Info Page¶
1. Go to Controls Console.
2. Under My Organizations, select an organization name to go to its Organization Info page.
What is an Organization Info page?
Organization Info pages allow you to view, edit, or manage an organization depending on your organization role.
Manage Organizations¶
1. Go to Controls Console.
2. Under My Organizations, select Manage Organizations to go the Organizations tab in Admin.
Note
Only system admins and organization admins can manage organizations.
Assessment Templates¶
Assessment Templates contains the assessment templates available to you.
Scoring Method¶
The CIS SecureSuite Platform uses a Simple Scoring method for CIS Controls assessments.
This means that each CIS Safeguard can be assigned a whole number score of 1-5. Reference ranges are provided with each option; for instance, if an organization has a Safeguard implemented on 50% of their systems, they could select a score of 3, which has a reference range of 41 – 60%. These reference ranges are only for convenience. They are not strict standards to follow. If an organization has its own way of scoring on a 1 – 5 scale that differs from the reference ranges, select the 1 – 5 scores that fit the organization’s scoring methodology.
The 1–5 Safeguard score is converted to a percentage with the formula:
(Score – 1) * 25.
Go to Assessment Template¶
1. Go to Controls Console.
2. Under Assessment Templates, select an assessment template to view in more detail.
You will see a page with information about the Controls framework and the scoring method:
My Assessments¶
My Assessments contains all open and closed Controls assessments for the organizations you are a member of.
Actions Available by Role¶
| Action | Org. Admin | Full User | Basic User |
|---|---|---|---|
| View List of Open/Closed Assessments | X | X | X |
| Go to Assessment Dashboard | X | X | |
| Edit Assessment | X | ||
| Go to Assigned Tasks | X | X | X |
| Go to Pending For Validation Tasks | X | X | |
| Delete Assessment | X |
View List of Open/Closed Assessments¶
All organization roles can see a list of the open or closed assessments for the organization they are a member of.
1. Go to Controls Console.
2. Under My Assessments, select Open or Closed to view a list of your open or closed assessments.
Go to Assessment Dashboard¶
Organization Admins and Full Users can go to the Assessment Dashboard tab for the assessment. The tab provides an overview of the assessment.
1. Go to Controls Console.
2. Under My Assessments, select the Go to Assessment Dashboard icon for the assessment.
Edit Assessment¶
Organization Admins can edit the name, start date, due date, or date closed of an assessment.
1. Go to Controls Console.
2. Under My Assessments, select the Edit Assessment icon .
3. Update the fields as desired.
4. Select Save to finish.
Go to Assigned Tasks¶
All organization roles can go to the Assigned Tasks tab of the assessment. The tab lists the user’s assigned tasks for an assessment along with the assignor and due date.
1. Go to Controls Console.
2. Under My Assessments, select the Go to Assigned Tasks icon to go to the tab.
Go to Pending For Validation Tasks¶
Organization Admins and Full Users can go to the Pending For Validation Tasks tab of the assessment. The tab shows a list of completed but not validated tasks for which you’re the assignor.
1. Go to Controls Console.
2. Under My Assessments, select the Pending for Validation Tasks icon to go to the tab.
Delete Assessment¶
Deleted assessments cannot be recovered.
Organization Admins can delete any unnecessary assessments.
1. Go to Controls Console.
2. Under My Assessments, select the Delete icon .
3. Select Delete to confirm.
Organization Info Page¶
Each organization has its own Organization Info page. The page has specific information and configurable sections specific to the organization. This page is accessible to all of the organization's users, but certain actions are limited by your organization role.
Sections¶
Organization Chart¶
View the top-level organization and its sub-organizations in a hierarchy.
1. Go to Controls Console and select the organization under My Organizations.
2. Select View Org. Chart.
The currently selected organization is colored green, while other organizations are colored blue. For each organization/sub-organization, its name and industry are displayed, as well as the number of direct and total sub-organizations under that organization.
- Drag to move around to view different parts of the chart.
- Zoom in or out using the scroll wheel of the mouse.
- Select +/- to display/hide the sub-organizations under a parent organization.
- Select an organization to go to its Organization Info page. You must be a member of the organization to have access to its page.
Users¶
Users displays the organization's users and their information.
Manage Users¶
1. Go to Controls Console and select the organization under My Organizations.
2. Select Manage Users to go the Organizations tab in Admin.
Organization Tab
The Organizations tab is where System Admins and Organization Admins can add users to or remove them from organizations and change their organization roles.
Sub-organizations¶
Sub-organizations displays the organization's sub-organizations and their industries.
Actions Available by Role¶
| Action | Org. Admin | Full User | Basic User | System Admin |
|---|---|---|---|---|
| Go to Sub-org's Organization Info Page | X | X | X | |
| Manage Organizations | X | X |
Go to Sub-org's organization Info Page¶
1. Go to Controls Console and select the organization under My Organizations.
2. Under Sub-organizations, select View for the sub-org to go to its Organization Info page.
Manage Organizations¶
1. Go to Controls Console and select the organization under My Organizations.
2. Under Sub-organizations, select Manage Organizations to go the Organizations tab in Admin.
Note
Only System Admins and Organization Admins can manage organizations.
Assessments¶
Assessments lists all of the organization's assessments and its details.
Actions Available by Role¶
| Action | Org. Admin | Full User | Basic User |
|---|---|---|---|
| Import Assessment | X | ||
| Start New Assessment | X | ||
| Go to Assessment Dashboard | X | X | |
| Edit Assessment | X | ||
| Go to Assigned Tasks | X | X | X |
| Go to Pending Validation Tasks | X | X | |
| Delete Assessment | X |
Import Assessment¶
Organization Admins can import assessments using an exported assessment spreadsheet from hosted CSAT, CSAT Pro, or another CIS SecureSuite Platform instance.
Note
The user associated with the imported file must be a CIS SecureSuite Platform user for the "Validation" and "Completion" statuses to be included in the assessment import.
1. Go to Controls Console and select the organization under My Organizations.
2. Under Assessments, select the Import Assessment icon .
3. Configure as follows:
- Due Date: Set a due date for the assessment to be completed.
- Source: Select CSAT Pro CSV or Hosted CSAT XLS depending on the export source.
- Assessment to Import: Select Choose File to choose the file to be imported.
- Assessment Name: Enter a name for the assessment.
- Assessment Template: Select CIS Controls v7.1 or v8.1. This selection determines the Control Framework and Scoring Method that the assessment will use.
- Implementation Group: Select IG-1, IG-1 & IG-2, or IG-1, IG-2, & IG-3.
4. Select Import.
Following the import process, a detailed log indicating import successes and warnings is generated and displayed. This import log is available in the assessment’s Event Log.
Start New Assessment¶
Organization Admins can start new Controls assessments. All fields except for the Implementation Group can be edited after starting an assessment.
1. Go to Controls Console and select the organization under My Organizations.
2. Under Assessments, select the Start a New Assessment icon .
3. Configure the assessment as follows:
- Due Date: Set a due date for the assessment to be completed.
- Name: Enter a descriptive, user-friendly name for the assessment.
- Assessment Template: Select CIS Controls v7.1 or v8.1. This selection determines the Control Framework and Scoring Method that the assessment will use.
- Implementation Group: Select IG-1, IG-1 & IG-2, or IG-1, IG-2, & IG-3.
4. Select Create.
The assessment will open automatically once it has been created.
Go to Assessment Dashboard¶
Organization Admins and Full Users can go to the Assessment Dashboard tab of the assessment. The tab provides an overview of the assessment.
1. Go to Controls Console and select the organization under My Organizations.
2. Under Assessments, select the assessment name or Go to Assessment Dashboard icon for the assessment.
Edit Assessment¶
Organization Admins can edit the name, start date, due date, or date closed of an assessment.
1. Go to Controls Console and select the organization under My Organizations.
2. Under Assessments, select the Edit Assessment icon .
3. Update the fields as desired.
4. Select Save to finish.
Go to Assigned Tasks¶
Organization Admins, Full Users, and Basic Users can go to the Assigned Tasks tab of the assessment. The tab lists the user’s assigned tasks for an assessment along with the assignor and due date.
1. Go to Controls Console and select the organization under My Organizations.
2. Under Assessments, select the Assigned Tasks icon to go to the tab.
Go to Pending Validation Tasks¶
Organization Admins and Full Users can go to the Pending For Validation Tasks tab of the assessment. The tab shows a list of completed but not validated tasks for which you’re the assignor.
1. Go to Controls Console and select the organization under My Organizations.
2. Under Assessments, select the Pending Tasks icon to go to the tab.
Delete Assessment¶
Deleted assessments cannot be recovered.
Organization Admins can delete any unnecessary assessments.
1. Go to Controls Console and select the organization under My Organizations.
2. Under Assessments, select the Delete icon .
3. Select Delete to confirm.
Organization History¶
Organization History shows a record of actions taken on or within the organization.
1. Go to Controls Console and select the organization under My Organizations.
2. Under Organization History, select the links to navigate to a profile, organization, assessment, etc.
Access Limitations
Depending on your organization role, you may not have access to some of the content linked in this section.
Assessment History¶
Assessment History shows how an organization's scores for closed assessments have changed over time.
The chart distinguishes between assessment templates (CIS Controls v7.1 vs 8.1) and automatically sets the appropriate time increment based on the closed times of your various assessments.
Controls Assessments¶
Each assessment has its own dedicated area for you to view its progress and results, assign its tasks, and score its Safeguards.
Tabs¶
Navigate through assessments using the tabs. Each one allows you to perform different tasks
| Tab | Description |
|---|---|
| Dashboard | An overview of the Controls assessment, including performance and completion metrics. |
| Assessment Summary | A filterable, exportable list of the assessment’s Safeguards with task status information. You can also bulk edit Safeguard tasks. |
| Event Log | A record of events for the assessment |
| Calendar | A calendar with tasks by due date. |
| Assigned Tasks | Tasks assigned to you that have not been completed. |
| Pending Validation Tasks | Tasks you assigned that have been completed and are pending your validation. |
Tab Access by Organization Role
Organization Admins and Full Users have full access to all tabs. Basic Users have access only to the Assigned Tasks tab and their assigned tasks.
Dashboard¶
Dashboard serves as a hub for the Controls assessment. This tab provides Organization Admins and Full Users an overview of the assessment, including performance metrics and data visualizations.
Dashboard Actions¶
Dashboard actions appear at the top-right of the page.
Actions Available by Role¶
| Action | Org. Admin | Full User | Basic User |
|---|---|---|---|
| Copy Assessment | X | ||
| Close or Reopen Assessment | X | ||
| Export CSV | X | X | |
| Export Board-Level Slides | X | X | |
| Export All Evidence | X | X | |
| Delete Assessment | X |
Copy Assessment¶
Organization Admins can create a copy of an assessment and most of its data. The copy's status will be Open, and the Start Date will be set to the date the copy is created. The rest of the assessment-level and task-level data is copied as is.
1. Go to Controls Console or an Organization Info page and select the Go to Assessment Dashboard icon for the assessment.
2. Select Copy Assessment.
3. Select Continue to create a copy of the assessment and its data.
Note
Changes to either the original or the copy are independent and will not affect the other assessment.
Close or Reopen Assessment¶
If an assessment is open, Organization Admins can close it to prevent edits.
1. Go to Controls Console or an Organization Info page and select the Go to Assessment Dashboard icon for the assessment.
2. Select Close.
If an assessment is closed, Organization Admins can reopen it to allow edits.
1. Go to Controls Console or an Organization Info page and select the Go to Assessment Dashboard icon for the assessment.
2. Select Reopen.
Export CSV¶
Organization Admins and Full Users can export a CSV report containing information similar to data found in the Assessment Summary tab. By default, this export will contain only the Safeguards that have been scored so far.
1. Go to Controls Console or an Organization Info page and select the Go to Assessment Dashboard icon for the assessment.
2. Select Export CSV.
3. Select a location to download a Safeguard-level spreadsheet.
Tip
The Export Filtered CSV functionality on the Assessment Summary tab can be used to customize which Safeguards are exported to CSV.
Export Board-Level Slides¶
Organization Admins and Full Users can export a set of slides containing high-level assessment summary information in PPTX format. These slides contain information and graphs from the Assessment Dashboard, as well as the Assessment History graph from the Organization Info page.
1. Go to Controls Console or an Organization Info page and select the Go to Assessment Dashboard icon for the assessment.
2. Select Export Board-Level Slides.
3. Select a location to download the export.
Export All Evidence¶
Organization Admins and Full Users can export all the evidence files uploaded to the assessment as a ZIP file.
1. Go to Controls Console or an Organization Info page and select the Go to Assessment Dashboard icon for the assessment.
2. Select Export All Evidence.
3. Select a location to download the export.
Performance Snapshot¶
View current performance metrics on the overall assessment.
| Metric | Description | Calculation |
|---|---|---|
| Assessment Average | The score for the whole assessment | Sum of Validated and Applicable Control Averages* divided by Number of Applicable Controls |
| Industry Average | The average assessment score for the organization's industry | Sum of Assessment Averages for Organizations in Industry divided by Number of Organizations in Industry |
| Assessment Completed | Percent of applicable Safeguards completed | |
| Assessment Validated | Percent of applicable Safeguards validated |
* A Control as a whole is applicable if at least one of its Safeguards is applicable.
Assessment Info¶
View summary information about the assessment, including its status, control framework, scoring method, start date, due date, open/closed, organization, industry, and selected Implementation Groups.
Change Implementation Group¶
Organization Admins can change the Implementation Group for the assessment. Doing so will change the Safeguards that apply to the assessment.
1. Go to Controls Console or an Organization Info page and select the Go to Assessment Dashboard icon for the assessment.
2. From the Implementation Group dropdown, select a different Implementation Group.
Warning
Making this change will set Safeguard applicability to the chosen Implementation Group's default settings: IG-1 sets all IG-1 Safeguards as applicable; IG-2 sets all IG-1 and IG-2 Safeguards as applicable; IG-3 sets all IG-1, IG-2, and IG-3 Safeguards as applicable. Any applicability deviating from the chosen IG's default settings will be reset.
Controls Map¶
View the current scores and progress of each Control.
- To find this map, go to Controls Console or an Organization Info page and select the Go to Assessment Dashboard icon for the assessment.
- The Score refers to the average score for the Control. It is calculated as follows: Total Score of Applicable and Validated Safeguards divided by Number of Applicable and Validated Safeguards.
- The bar represents how much progress has been made validating the Control.
Go to Control¶
1. Go to Controls Console or an Organization Info page and select the Go to Assessment Dashboard icon for the assessment.
2. Select a Control to view it and work on its Safeguards.
Graphs¶
CIS Controls Implementation Average¶
A bar or radar chart showing each Control's average score (and corresponding industry Control averages if opted in).
Tip
Hover over a bar or point to see the exact score.
The bar or point for each Control represents the assessment's current average for that Control. Each average is calculated by adding up the scores of the applicable and validated Safeguards in that Control and then dividing that sum by the total number of applicable and validated Safeguards in that Control.
Monthly Assessment Average¶
A line graph that tracks the assessment's average score by month.
Your assessment's average scores appear as a blue line. If you've opted in to the Industry Average Service, a red line displays the industry average score by month.
The snapshot for the previous month is generally taken on the first day of the following month if the CIS SecureSuite Platform instance is live. For instance, the August data will appear on September 1.
Controls Implementation Average¶
A bar chart that tracks the assessment's average score by Implementation Group. If you've opted in to the Industry Average Service, this chart also has a second bar representing the industry average for each Control and the Number of Organizations Used in this Industry Average at the bottom.
Tip
Hover over the bars to see the exact score for the IG.
Scores for the bars are calculated by averaging the validated scores of the Safeguards in each Implementation Group. All Safeguards, regardless of applicability, are factored into the scores.
For example, CIS Controls v7.1 IG1 has 43 Safeguards. If one of those 43 Safeguards is scored at 100% and validated, while all the rest are scored at 0, then the calculation would be 100/43 = 2.3. The calculated figure is then rounded to the nearest whole number to get your score: 2, in this case.
Assessment Summary¶
Assessment Summary shows a list of the assessment’s Safeguards with task status information.
Go to Task¶
1. Go to Controls Console or an Organization Info page and select the assessment name or Go to Assessment Dashboard icon for the assessment.
2. Go to Assessment Summary.
3. Select a task’s number or title to go to the Safeguard View for that task.
View details¶
1. Go to Controls Console or an Organization Info page and select the assessment name or Go to Assessment Dashboard icon for the assessment.
2. Go to Assessment Summary.
3. Hover over a checkmark to view the user who performed the action and any additional information.
Filter Safeguards¶
Filter down the Safeguard list to view entries of interest.
1. Go to Controls Console or an Organization Info page and select the assessment name or Go to Assessment Dashboard icon for the assessment.
2. Go to Assessment Summary.
3. Select Filter to show the available filters.
Collapse Filter List
Select Filter again to collapse the filter list.
4. Select from the various filters to narrow down the assessment list.
5. Select Search.
Export Filtered CSV¶
Export a filtered list of Safeguards and task information as a .CSV file.
1. Go to Controls Console or an Organization Info page and select the assessment name or Go to Assessment Dashboard icon for the assessment.
2. Go to Assessment Summary.
3. Select Export Filtered CSV.
4. Save the file to the desired directory.
Bulk Edit¶
For open assessments, you can bulk edit tasks to save time.
1. Go to Controls Console or an Organization Info page and select the assessment name or Go to Assessment Dashboard icon for the assessment.
2. Go to Assessment Summary.
3. Select a bulk action.
4. Select the checkboxes of the tasks you want to bulk edit.
5. Select Bulk Edit.
6. (If applicable) Enter the requested information in the pop-up window.
7. Select Submit to perform the bulk action.
Bulk Actions¶
Toggle Applicability¶
Set applicability of tasks.
1. From the Bulk Edit dropdown, select Toggle Applicability.
2. Select Applicable to enable/disable.
3. Select Submit to finish.
Note
A task that is not applicable cannot be scored and workflow actions will not be available.
Once the desired applicability has been submitted, the tasks applicability will be updated, and a summary message banner will appear to indicate how many tasks were set to the new value and how many were already in the selected state.
Assign User¶
Assign tasks to a user.
1. From the Bulk Edit dropdown, select Assign User.
2. Provide the following information:
- Assign To: Select or enter the user to assign to the task.
- Due Date: Select a due date for the task.
- Comment: (Optional) Enter a message for the assigned user.
3. Select Submit to finish.
After you submit the information, a summary of the assignments will be displayed in a message banner containing information about how many tasks were successfully assigned, how many were reassigned, and how many were unable to be assigned (tasks that are in Completed, Validated, or Not Applicable cannot be assigned).
A single email is sent to the assigned user, listing the tasks successfully assigned to the user. An email will not be sent when users assign tasks to themselves.
Unassign User¶
Unassign tasks from a user.
1. From the Bulk Edit dropdown, select Unassign User.
2. Review the tasks and select Submit to confirm.
After the task is unassigned, a message banner will appear, stating how many tasks were successfully unassigned, how many did not have an assigned user prior to this bulk action, and how many could not be unassigned (tasks that are Completed, Validated, or Not Applicable cannot be unassigned).
Complete¶
Set tasks to the Completed workflow state.
1. From the Bulk Edit dropdown, select Complete.
2. Review the tasks and select Submit to confirm.
After you change the workflow state, a message banner will appear, stating how many tasks were successfully completed and how many could not be completed (tasks that are not scored yet, are Not Applicable, or are Completed/Validated).
Send Back¶
Revert Completed workflow state from tasks.
1. From the Bulk Edit dropdown, select Send Back.
2. Enter an optional comment and select Submit to confirm.
After you revert the workflow state, a message banner will appear, stating how many tasks were successfully completed, and how many could not be sent back (tasks that are not scored yet or are Not Applicable).
Validate¶
Set Completed tasks to the Validated workflow state.
1. From the Bulk Edit dropdown, select Validate.
2. Review the tasks and select Submit to confirm.
After you change the workflow state, a message banner will appear to indicate, stating how many tasks were successfully validated, and how many could not be validated (tasks that are not Completed, are Not Applicable, or are Validated).
Revert Validation¶
Revert the Validated workflow state for tasks.
1. From the Bulk Edit dropdown, select Revert Validation.
2. Review the tasks and select Submit to confirm.
After you revert the workflow state, a message banner will appear, stating how many tasks were successfully reverted, and how many could not be reverted (tasks that are not in the Validated workflow state or are Not Applicable).
Event Log¶
Event Log displays a record of events for the assessment.
Log entries are created for actions such as:
- Creating a new assessment
- Importing an assessment
- Closing/Reopening an assessment
- Changing the assessment’s Implementation Group.
Each log entry includes the user who performed the action and the date/time of the action.
Go to Event Log¶
1. Go to Controls Console or an Organization Info page and select the assessment name.
2. Go to Event Log.
Calendar¶
The Calendar tab displays a calendar with tasks by due date.
Actions¶
- Change Time Increment
- Shift Calendar
- View Task Details
- View More Tasks
- View Workflow Status
- Go to Safeguard View for Task
Change Time Increment¶
1. Go to Controls Console or an Organization Info page and select the assessment name.
2. Go to Calendar.
3. Select Month, Week, or Day to change the calendar view by time increments.
Shift Calendar¶
- Select the single arrows to move forward or backward by a month, week, or day depending on the current view.
- Select double arrows to move forward or backward by a full year.
- Select today to return the calendar to the current day.
View Task Details¶
1. Go to Controls Console or an Organization Info page and select the assessment name.
2. Go to Calendar.
3. Hover over a task on the calendar to view:
- Task number
- Title
- Assigned To user
- Due date
- Assigned By user
- Completed By user
- Validated By user
View More Tasks¶
1. Go to Controls Console or an Organization Info page and select the assessment name.
2. Go to Calendar.
3. Select +# more to display all the tasks for that day.
View Workflow Status¶
The tasks have checkmarks to indicate their status in the workflow:
- A double checkmark preceding the task indicates the task has been validated.
- A single checkmark indicates the task has been completed but not validated.
- No checkmark indicates that the task has not yet been completed.
Go to Safeguard View for Task¶
1. Go to Controls Console or an Organization Info page and select the assessment name or Go to Assessment Dashboard icon for the assessment.
2. Go to Calendar.
3. Select a task to go to its Safeguard View.
Assigned Tasks¶
The Assigned Tasks tab contains a list of the uncompleted tasks assigned to you for the assessment. You will have a separate list of assigned tasks for each assessment.
Go to Assigned Task¶
1. Go to Controls Console or an Organization Info page and select the Assigned Tasks icon to go to the tab.
2. To go to a task assigned to you, select it to go to its Safeguard View.
Pending Validation Tasks¶
The Pending for Validation Tasks tab contains a list of completed but not validated tasks for which you are the assignor. You will have a separate list of pending validation tasks for each assessment.
Go to Pending Validation Task¶
1. Go to Controls Console or an Organization Info page and select Pending Tasks icon to go to the tab.
2. Select the task to go to its Safeguard View.
Control¶
Each Control has a dedicated page in the assessment where you can view performance metrics for that Control and work on its Safeguards.
Navigate to and between Controls¶
1. Go to Controls Console or an Organization Info page and select the assessment name.
2. From the Controls Map, select a Control to go to its page.
3. Select a Control to navigate between Controls pages.
Control-Level Performance Snapshot¶
View performance metrics for the Control.
| Metric | Description | Calculation |
|---|---|---|
| Assessment Average | The score for the whole assessment | Sum of Validated and Applicable Control Averages* divided by Number of Applicable Controls |
| Control Average | The average score for the Control | Sum of Validated and Applicable Safeguard scores divided by Number of Safeguards |
| Industry Average | The average assessment score for the organization's industry | Sum of all Control Averages for industry divided by Number of organizations in industry |
| Control Completed | Percent of applicable Safeguards completed | |
| Control Validated | Percent of applicable Safeguards validated |
* A Control is considered applicable if at least one of its Safeguards is applicable.
Safeguard View¶
The Safeguard View (also referred to as the Sub-Control or Task View) allows you to view details on individual Safeguards, set Safeguard scores, and perform workflow actions.
Organization Admins and Full Users have access to all tasks. Basic Users have access only to their assigned tasks.
Expand/Collapse Safeguard View
Select a Safeguard's name again to collapse its view. 
Actions Available by Role¶
| Action | Org. Admin | Full User | Basic User |
|---|---|---|---|
| Set Applicability | X | X | |
| Score Safeguard | X | X | X |
| Assign, Re-assign, or Unassign Task | X | X | |
| Complete Task | X | X | X |
| Send Back Task | X | X | |
| Validate Task | X | X | |
| Revert Validation | X | X | |
| Upload, Download, or Delete Evidence | X | X | X |
| Add or Delete Comments | X | X | X |
Set Applicability¶
1. Go to a Control.
2. For a Safeguard, select Applicable? to make the Safeguard applicable or not.
Note
A task that is not applicable cannot be scored and workflow actions for it will not be available.
Score Safeguard¶
1. Go to a Control.
2. From the Safeguard Score dropdown for a Safeguard, select a score.
Note
When Not Applicable or Not Available is selected, the Safeguard is given a score of 1 (0-20%).
The score automatically saves when the selection is changed. You can see the score in the Task Information section's Score field.
Scoring Method
The CIS SecureSuite Platform uses a Simple Scoring Method for CIS Controls assessments. This means that each CIS Safeguard can be assigned a whole number score of 1-5.
Reference ranges are provided with each option; for instance, if an organization has a Safeguard implemented on 50% of their systems, they could select a score of 3, which has a reference range of 41 – 60%. These reference ranges are only for convenience. They are not strict standards to follow. If an organization has its own way of scoring on a 1 – 5 scale that differs from the reference ranges, select the 1 – 5 scores that fit the organization's scoring methodology.
The 1–5 Safeguard score is converted to a percentage with the formula:
(Score – 1) * 25.
Assign User to Task¶
1. Go to a Control.
2. For a Safeguard, select Assign User.
3. Configure as follows:
- Assign to: Select an organization user to whom the task will be assigned.
- Due Date: Select a new due date for the task.
- Comment: (Optional) Enter a message to include with the reassignment notification.
4. Select Assign.
The task will then appear in the user’s Assigned Tasks tab for that assessment. Also, an assignment email is sent to the assignee (unless the assignee is the same as the assignor) along with the optional comment.
Reassign Task¶
Task reassignment appears once a task has been assigned. The procedure for reassigning tasks is the same as when assigning tasks.
1. Go to a Control.
2. For a Safeguard, select Reassign User.
3. Configure as follows:
- Assign to: Select an organization user to whom the task will be assigned.
- Due Date: Select a new due date for the task.
- Comment: (Optional) Enter a message to include with the reassignment notification.
4. Select Assign.
The task will then appear in the new assignee’s Assigned Tasks tab for that assessment. Also, an assignment email is sent to the assignee (unless the assignee is the same as the assignor) along with the optional comment.
Remind Assignee or Assignor¶
Remind an assignee to complete a task or assignor to validate a completed task via email.
1. Go to the Control.
2. For a Safeguard, select the Notify icon beside the Assigned To user or Assigned By user.
3. Enter an optional comment.
4. Select Send Reminder to email the assignee or assignor about the task.
Unassign User from Task¶
Unassign users from tasks that have been assigned to them but not completed.
1. Go to the Control.
2. For a Safeguard, select the Unassign User icon beside the Assigned To user.
3. Select OK to confirm.
Unassignment will remove the Assigned To user, Assigned By user, Assigned Date, and Due Date, returning the task to an unassigned state.
Complete Task¶
Complete tasks after they have been scored. Completed tasks are ready to be reviewed and either sent back or validated.
1. Go to the Control.
2. For a Safeguard, select Complete to make the test ready for validation.
An email requesting validation for the task will be sent to the assignor that the task (unless the completing user is the Assigned By user).
Note
The user who completes an unassigned task is automatically assigned to it.
Send Back Task¶
Send back completed tasks to reassign them or request evidence. If a task is sent back, it will return to the Assigned Tasks list for the assignee and be removed from the Pending for Validation Tasks list for the assignor.
1. Go to the Control.
2. For a Safeguard, select Send Back to revert the Completed state.
3. (Optional) Enter a comment.
4. Select Send Back.
An email update will be sent to the Assigned To user and, if different, Completed By user.
Validate Task¶
Once a task is completed, you can validate it. Validation locks the scoring dropdown and ability to upload evidence files.
1. Go to the Control.
2. For a Safeguard, select Validate to finalize a task.
Validating a task automatically updates the assessment average, Control average, and Control validated.
Revert Validation for Task¶
Once a task is validated, you can revert that validation. Reverting a validation to unlock the scoring dropdown and the ability to upload evidence files. Reverting a validation will also add the task back to the Pending for Validation Tasks list for the Assigned By user.
1. Go to the Control.
2. For a Safeguard, select Revert Validation to revert the task back to the Completed state.
Upload Evidence Files¶
Upload evidence to the task to justify your score.
1. Go to the Control.
2. For a Safeguard, select Upload Evidence.
3. Select Choose File and choose the evidence file to upload.
Note
The maximum file size for uploads is 15MB.
4. Select Upload to finish.
Download Evidence Files¶
If evidence files have been uploaded to the task, there will be an Evidence section below the workflow buttons. This section displays a list of uploaded evidence files.
1. Go to the Control.
2. For a Safeguard, select an evidence file to download it.
3. Select a location to save the file.
Delete Evidence Files¶
Deleted evidence files cannot be recovered.
1. Go to the Control.
2. For a Safeguard, select the Delete icon to the left of the target evidence file.
Add Comment to Discussion¶
Add comments to the Discussion section to communicate with other organization users.
1. Go to the Control.
2. For a Safeguard, select Add Comment.
3. Enter the message.
Note
Comments are limited to 250 characters.
4. Select Add Comment.
Comments are annotated with the commenter's name and the date/time of submission.
Delete Comment from Discussion¶
Delete your own comments from the Discussion section.
1. Go to the Control.
2. For a Safeguard, select the Delete icon for the comment.
View History¶
The History section serves as a log for that task’s events. It provides details on the action that occurred, which user performed the action, and when that action took place.
1. Go to the Control.
2. For a Safeguard, select History.
Task Information¶
Additional task information can be found to the right of the workflow actions.
| Field | Description |
|---|---|
| Score | The Safeguard score converted to a 0 – 100 scale along with a color-coded score indicator. |
| Mappings | The Safeguard's mappings to other frameworks. Each mapping includes the framework and specific identifier within that framework to which the Safeguard is mapped. You will only see the mappings you have enabled in Mapping Preferences. Currently, the CIS SecureSuite Platform offers the following mappings: - CIS Controls v7.1 to NIST 800-53 Revision 4 Low Baseline, NIST CSF 1.1, NIST CSF 2.0, and PCI DSS v3.2.1 - CIS Controls v8.1 to NIST 800-53 Revision 5 Low Baseline, NIST CSF 1.1., and NIST CSF 2.0 |
| Custom Tags | The tags associated with the task. Custom tags can be used to filter results on the Assessment Summary page. You can create new ones and remove unnecessary ones. Tags are case insensitive (e.g., ABC will be treated the same as abc). - To create a new tag, enter the tag name and select Enter key or Spacebar. - To remove a tag, select the x next to it. |
| Asset Type | The type of asset to which the Safeguard applies (e.g., data, devices, documentation, etc.). |
| Security Function | The security function identified for the CIS Safeguard. These functions are based on those used in the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. |
| Assigned To | The assignee or user to whom the task was assigned. |
| Due Date | The date by which the task should be validated. |
| Assigned By | The user who assigned the task. |
| Completed By | The user who completed the task. |
| Validated By | The user who validated the task. |
Tip
You can select a mapping to view it in detail or a user to view their profile.
Organizations¶
Organizations is where System Admins and Organization Admins can manage organizations and their users.
Actions¶
Create Organizations¶
1. Go to Organizations.
2. Select Create New.
3. Configure the organization as follows:
- Parent Org (Optional): Select a parent organization for the new organization. The new organization will be a sub-organization of its parent organization.
- Organization Name: Enter the organization's name. It must be unique within the CIS SecureSuite Platform instance.
- Website: Enter the organization's complete URL (e.g., https://www.example.com)
- Industry: Select the organization's industry.
4. (Optional) Add users to the organization and configure their organization roles:
A. Select users to add to the organization.
B. Select the organization roles for the users.
5. Select Submit to create the organization.
Note
The user who creates the organization will automatically be added to its Admin organization role. The System Admin role alone does not allow you to create sub-organizations within top-level or parent organizations. You must have the Organization Admin role for each organization in which you want to create sub-organizations.
Edit Organizations¶
1. Go to Organizations.
2. Select the Edit icon for the target organization.
3. Edit the organization as desired:
- Parent Org (Optional): Select a new parent organization or select None to remove the parent organization.
- Organization Name: Enter the organization's name. It must be unique within the CIS SecureSuite Platform instance.
- Website: Enter the organization's complete URL (e.g., https://www.example.com)
- Industry: Select the organization's industry.
4. (Optional) Add users to the organization and configure their organization roles:
A. Select user to add to the organization.
B. Select the organization role for the users.
C. Select to include the user in the organization's sub-orgs.
5. (Optional) Remove users from the organization and unassign/reassign their tasks:
A. For the user, select x.
B. Select one of the assignment options:
- Unassign Tasks
- Reassign Tasks and then select a user
C. Select Remove to return to editing the organization.
6. Select Submit to finish editing.
Delete Organizations¶
Deleting organizations is permanent. You will have to recreate and reconfigure deleted organizations.
1. Go to Organizations.
2. Select the Delete icon for the target organization.
3. Select Delete Organization to confirm.
CIS Controls¶
View detailed information about the Controls versions, individual Controls, and Safeguards.
View Controls and Sub-Controls¶
1. Select a Controls version to see its Controls.
2. Select a Control to expand/collapse its description and Safeguards.
3. Select a Safeguard to view its details.
You will see the complete details of the Safeguard:
Controls Versions¶
CIS collaborates with our global community of cybersecurity experts to continually develop the CIS Controls. Refer below for information on how the Controls versions differ.
Controls v7.0 vs v7.1¶
- Implementation Groups (IGs): Controls v7.1 introduced Implementation Groups to help organizations prioritize their cybersecurity efforts based on their resources, expertise, and risk exposure.
- Focus: v7.0 brought more focus to key topics like authentication, encryption, and application allowlisting. v7.1 builds on this focus by including new guidance and improvements.
- One Ask Per Task for Easier Measurement: The community worked tirelessly to clarify and simplify each CIS Control in v7.0, making it easier for users to follow along. By eliminating multiple tasks within a single Safeguard, the CIS Controls are easier to measure, monitor, and implement.
- Improved Wording: For v7.1, the wording of each Safeguard was reviewed and edited for consistency and clarity, making it easier for users to understand and implement the Controls.
- Alignment with Other Frameworks: Both versions align with other cybersecurity frameworks, but v7.1 provides better mapping to frameworks like the NIST Cybersecurity Framework.
- Community Feedback: Both versions were developed with input from a global community of cybersecurity experts, and v7.1 included more extensive feedback and collaboration.
- No new or removed Controls or Safeguards for v7.1
Controls v7.1 vs v8.0¶
- Controls Updates:
- v8.0 introduced new Controls, such as "Service Provider Management," which addresses the management of third-party service providers and their security practices.
- v8.0 has 18 Controls instead of v7.1’s 20. This streamlining helps organizations focus on the most critical areas.
- Some Controls were renamed and regrouped to better reflect modern security practices and technologies.
- Implementation Groups (IGs): While IGs were introduced in v7.1, v8.0 further refined them to better assist organizations in prioritizing their essential cybersecurity hygiene efforts.
- Focus on Cloud and Mobile Environments: v8.0 places a greater emphasis on cloud and mobile environments, recognizing the growing importance of these areas in modern IT infrastructure.
- Alignment with Other Frameworks: Version 8.0 continues to align with other cybersecurity frameworks, such as the NIST Cybersecurity Framework v1.0, but with improved mapping and guidance.
Controls v8.0 vs v8.1¶
- New Security Function: Controls v8.1 features a security function that was not in v8.0: Govern. Govern is defined as the organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. For v8.1, all Safeguards were re-evaluated and, when appropriate, moved to Govern.
- Improved Wording: CIS has performed a general cleanup of and added clarifying statements to descriptions, asset classes, and asset definitions for v8.1. The intentions of each Safeguard have remained unchanged; they should just be clearer than they were in v8.0.
- Alignment with Other Frameworks: v8.1 continues to align with other cybersecurity frameworks, such as the NIST Cybersecurity Framework v2.0, but with improved mapping and guidance.
- No new or removed Controls or Safeguards for v8.1