Skip to content

Glossary

Assessments

The process of evaluating a system's state or an organization's overall risk posture against the CIS Benchmarks or CIS Controls, respectively.

CIS Benchmarks

Guidelines for hardening specific operating systems, middleware, software applications, and network devices. Mapped to the CIS Critical Security Controls (CIS Controls), the CIS Benchmarks elevate the security defenses for cloud provider platforms and cloud services, containers, databases, desktop software, server software, mobile devices, network devices, and operating systems.

With the CIS SecureSuite Platform, users can run automated or manual assessments of their systems' security posture against the CIS Benchmarks.

CIS Critical Security Controls

A general set of recommended practices for securing a wide range of systems and devices. The Controls are a list of high-priority, highly effective defensive actions that provide a “must-do, do-first” starting point for every enterprise seeking to improve their cyber defense.

With the CIS SecureSuite Platform, organizations can conduct self-assessments of their implementation of the CIS Controls.

CIS Safeguards

A specific action that can be implemented or activity that can be performed to improve an organization’s cyber defense program.

CIS Safeguards were known as CIS Sub-Controls prior to CIS Controls v8.

CIS-CAT Pro Assessor

The tool to evaluate posture information collected from a target system against CIS Benchmarks.

CIS-CAT Pro Dashboard

The tool to view and evaluate configuration assessment results. CIS-CAT Pro Dashboard uses the Benchmark assessment reports generated by CIS-CAT Pro Assessor.

CIS CSAT Pro

The tool to perform self-assessments against the CIS Controls.

CIS SecureSuite Platform

A self-managed web application installed at a Member's premise that combines the functionality of the the CIS Configuration Assessment Tool (CIS-CAT) Pro Dashboard and Controls Self Assessment Tool (CIS CSAT) Pro in a single platform.

Exceptions

Functionality to ignore specified CIS Benchmark Recommendations during assessments by target system, globally (all targets for a specific benchmark), or by targets associated with user-defined tags.

Implementation Groups

Groups to organize and prioritize the CIS Safeguards. There are three implementation groups to help organizations prioritize which Safeguards to implement first:

  • IG-1: Safeguards that cover essential cyber hygiene. Organizations with limited resources where the sensitivity of data is low may choose to implement IG1.
  • IG-2: Safeguards that focus on helping security teams manage sensitive client or company information. Organizations with moderate resources and greater risk exposure for handling more sensitive assets and data may choose to implement IG2 along with IG1.
  • IG-3: Safeguards that help reduce the impact targeted attacks from sophisticated adversaries. Mature organizations with significant resources and high-risk exposure for handling critical assets and data need to allocate the Safeguards under IG3 along with IG1 and IG2.

Note

Each implementation group builds on the lower implementation groups; thus, an organization implementing IG-2 should also implement IG1, and an organization implementing IG-3 should implement all three Implementation Groups.

Based on the resources available to the organization, as well the criticality of the data and services that require protection, the organization can determine whether they should also implement additional Safeguards from IG2 and IG3.

Industry Average Service

A service that displays industry average data for your organization's industry or industries across your CIS SecureSuite Platform instance. The data includes an assessment level industry average and Control-level industry averages.

Opting in to the Industry Average Service also means that you will share anonymous assessment data (CIS Safeguard scoring data) from your CIS SecureSuite Platform instance securely with CIS over a TLS v1.3 connection. Sharing this anonymous data helps improve CIS’s industry average data set.

While the industry average information can be useful as a point of comparison for your organization, it should not be used to determine whether your organization has reached an acceptable level of maturity in your implementation of the CIS Controls; the decision of what is an acceptable level of maturity for the CIS Controls implementation for your organization should be made only after performing a thorough risk analysis for your organization.

Organization

User groups within your CIS SecureSuite Platform instance to perform Controls assessments. Organizations are structured into organization trees, each of which consists of a top-Level organization and any sub-organizations.

Organization Role

Roles that define a user's access to actions and product areas for their assigned organizations.

  • Organization Admin: Full access to the organization, its assessments, and user and role management. Organization Admins can create new Controls assessments and sub-organizations under the top-level organization.
  • Full User: Full access to work on existing assessments in the organization. Full Users cannot create new assessments or manage organizations, users and roles.
  • Basic User: Limited access to the organization’s assessments and can only view/complete tasks that have been assigned to them. Basic Users cannot create new assessments or manage organizations, users, and roles.

Reports

The results of your assessments. Different formats are offered depending on the use case.

Complete Report

A report that provides the overall pass/fail result of each Recommendation. It is designed to help auditors have a complete picture of the latest assessment results.

Remediation Report

A report that provides remediation steps for the failed Recommendations for the selected configuration assessment result. It is designed to help operators have all the remediation steps available in an easy-to-read format.

Exception Report

A report that shows all the group or rule exceptions applied to an assessment.

Last Scan Failed Results Report

A report that shows the count of target systems' failed Recommendations for the most recent configuration assessment results for the selected Benchmark.

Job Status Report

A report that shows all active and historical jobs (assessments).

SecureSuite License

A SecureSuite License is required for the CIS SecureSuite Platform. If a valid license is not present, the CIS SecureSuite Platform will not install or upgrade. If the CIS SecureSuite Platform is installed but your license expires, certain functionality is restricted.

System Role

Roles that define a user's access to actions and navigation within the application.

  • System Admin: Has access to all areas of the CIS SecureSuite Platform. Can perform remote configuration assessments, bulk actions, and delete actions.
  • Basic: Has access to all areas of the CIS SecureSuite Platform except for Admin. Cannot perform remote configuration assessments, bulk actions, and delete actions.

Tags

Functionality to group target systems by assigning user-defined labels. A tag could represent a region, a department, internal/external ownership, functional use, operating systems, etc.

Tags can be leveraged when applying CIS Benchmark exceptions or organizing the Benchmarks Console > Tag View.

Target System

Endpoints in your environment that have been or will be assessed with CIS-CAT Pro Assessor or the CIS SecureSuite Platform.