CIS CSAT - IT Security Assessment Tool

Dominik Altermatt Marc Ruef (Editor)

Offense Department, scip AG Research Department, scip AG
[email protected] [email protected]
https://www.scip.ch https://www.scip.ch

Abstract: CSAT is a free web app from CIS. The app lets users run CIS Controls assessments.
This includes a basic set of useful features. It is not yet fully mature in certain areas. It may be
something worth keeping an eye on.

Keywords: Amazon, Assessment, AWS, CIS, Cloud, Dashboard, East, Excel, Framework,
Hotellerie

1. Preface 3. CIS Controls

This paper was written in 2019 as part of a research project Currently in version 7, CIS Controls offers 20 controls,
at scip AG, Switzerland. It was initially published online at each of which includes between 5 and 13 sub-controls.
https://www.scip.ch/en/?labs.20190314 and is available in
English and German. Providing our clients with innovative
research for the information technology of the future is an
essential part of our company culture.

2. Introduction

People are gradually beginning to understand the need for

solid IT security frameworks on all fronts. Governments
[1], industry associations [2] and independent
organizations [3] are publishing and refining their standards
and guidelines on how individual IT infrastructures should
and must be protected against the complete array of threats.
This, of course, takes more than merely understanding
them; effective action is required.
Figure: CIS Critical Controls
But this can be the start of a difficult process. It takes
To find out more, visit the website [5].
investment, perhaps in hardware, software, staffing and
expertise. If IT security has been neglected over a period of
4. CSAT schema
many years, it will take more than a few months to bring it
up to speed. In other words, structures are required to guide
the implementation of security controls and keep processes
on track. Then it is up to management to allocate the
appropriate resources – (ideally) over a period of several
years. New budget items should therefore be transparent,
and progress must be tangible. Otherwise, the initial
euphoria will quickly be replaced by the monotony of day-
to-day business.

Anyone using CIS Controls for this purpose, or planning to,

now has a helpful resource. A few weeks ago, CIS released
a new online tool called CIS CSAT [4] which simplifies the
assessment and management of CIS Controls. But most
importantly, its lean website makes effective usage a more
appealing experience.

Figure: CSAT High-Level Workflow

The tool includes a minimal set of features, but these are The next click takes you to the assessment form for the
more than enough to set up and operate an IT security respective sub-control.
framework. The main features include:

The assessment form for all 20 CIS controls and

their sub-controls
A validation workflow using sub-controls. This
allows multiple individuals to verify that the data
collected using the sub-control is legitimate.
Dashboard with graphs to properly visualize items
such as the maturity and implementation status of
controls
Data export functions to Excel and PowerPoint

5. Review of CIS CSAT

The first thing a company needs to establish before using

the tool is whether it is happy with effectively shifting its
IT security to the cloud.

This means placing your trust in CIS as the operator and
Amazon (AWS US East Region) as the provider. If you
want to be on the safe side you can use the platform
anonymously without uploading identifying information,
while still benefiting from the management and
visualization features. An initial review suggests that this is
quite simple.
5.1. Walk-through
After signing in, you will see the dashboard for the current
assessment. It will be empty at first. The dashboard
provides a range of information and charts, without being
too overwhelming.
Figure: Assessment Formular Sub-Control
A brief introductory text provides information on the
selected sub-control, followed by references to the
corresponding PCI DSS [6] and NIST [7] controls, which
can sometimes be convenient for further investigation of
the controls and for compliance reports. The actual
assessment is based on responses to the four questions in
the drop-down menus, and carried out by clicking the
Complete Sub-control button. The sub-control is then
validated or sent back for reprocessing with an additional
click. The user management interface allows other users to
perform validation as well.

Figure: Overall Dashboard

Clicking on one of the controls (blue buttons) takes you to

the dashboard for the control. You will then see several
figures, such as scoring and completeness status, as well as
the list of sub-controls. Figure: Validate Sub-Control

An audit trail makes the whole assessment process easily

traceable.

Figure: Control Dashboard

Figure: Audit Trail
Filling out all 171 sub-controls is somewhat time-
consuming. The corresponding workflow is still a bit
cumbersome, requiring a lot of scrolling and clicking. It
would be nice to have a more streamlined process here.
Once all of the controls are assessed, the dashboard takes
on more color and the user will see the desired overview.
CSAT assesses all controls and presents them in a graphic
visualization.
Figure: Overall Dashboard after Assessment
For example, a company without an IT security framework
might see something like this in a first assessment.
These graphs can be exported to PowerPoint with a simple
click and then used immediately to create reports for
stakeholders.
Figure: Maturity Graphs
The assessment run is now complete and a current IT
security status report is available.
This allows you to very effectively and precisely define
where (control and sub-control) measures should and must
be taken in specific areas (policy, implementation,
automation, and reporting). You can add relevant projects –
and there you have an IT security framework using CIS
Controls.
It is a good idea to carry out a new assessment after a
reasonable period of time to measure and depict progress in
IT security. You can trigger this new assessment from the
dashboard.
Oops – CSAT still has a gaping hole here. If you’re
expecting the new assessment to draw data from the
previous assessment you will be disappointed and instead
discover the forms are blank for all controls. In other
words, you have to fill everything in all over again.
Completing all 170 sub-controls again for each assessment
run is very laborious and impractical. You would expect
that only controls/sub-controls where progress had been
made would have to be updated, with all the others simply
retaining their current state.
We have submitted this feature request to CIS. It is
currently unclear if and when pre-population of the
previous assessment run will be implemented.
6. Conclusion
CIS CSAT simplifies the management of CIS Controls,
making it more attractive. The basic structure and feature
set of the web application does this quite well. However,
CIS should work on offering a smoother workflow for the
assessment run.
Unfortunately, the absence of a pre-population feature,
which uses data from the previous assessment, makes the
tool very time-consuming to use, particularly when you
have a lot going on in the area of IT security, or when you
need to generate quarterly reviews, say. Hopefully CIS will
implement this feature to make this effective security
management tool a very simple and appealing tool.
An offline version would, of course, be a welcome addition
which would cut out the step of anonymizing data for
upload.
7. External Links
[1] https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgr
undschutz_node.html
[2] https://www.hotelleriesuisse.ch/cybersicherheit
[3] https://www.defcon-switzerland.org/
[4] https://www.cisecurity.org/blog/cis-csat-free-tool-
assessing-implementation-of-cis-controls/
[5] https://www.cisecurity.org/controls/
[6] https://www.pcisecuritystandards.org/
[7] https://www.nist.gov/cyberframework