Current Assessment¶
Introduction¶
Current Assessment is where organization users can view the current assessment's progress and results, assign tasks, and score Sub-Controls.
This guided covers:
- All Controls
- Assigned Tasks
- Pending for Validation
- Calendar
- Understanding Scoring
- Understanding Implementation Groups
Note
Each organization has its own dedicated Current Assessment pages, so ensure you go to the intended organization by selecting it from Organizations.
Starting a New Assessment
Once your organization is finished with its current assessment, you can close it by starting a new one via the Dashboard.
All Controls¶
Score and bulk edit all the Sub-Controls.
Actions¶
Score Sub-Control¶
1. Go to Current Assessment > All Controls.
2. Select one of the options from the four scoring category dropdowns (i.e., Policy Defined, Control Implemented, etc.).
Tip
Refer to the Understanding Scoring section for a detailed explanation on how scores and assessment averages are calculated.
The user who starts scoring the Sub-Control is automatically assigned to it. To complete and validate the Sub-Control, an Admin must go to the according Sub-Control View.
Go to Sub-Control/Safeguard View¶
1. Go to Current Assessment > All Controls.
2. Under Control Question, select the appropriate question to go to the related Sub-Control View.
Bulk Edit¶
1. Go to Current Assessment > All Controls.
2. Select the checkboxes of the Sub-Controls to edit.
3. From the Action dropdown, select one of the bulk actions:
| Bulk Action | Description |
|---|---|
| Mark as not applicable | Excludes the Sub-Control from scoring. |
| Mark as applicable | Includes the Sub-Control in scoring. |
| Un-assign the Control | Un-assign the current assignee from the Sub-Control |
| Assign to user | Assign scoring the Sub-Control to a user. The user receives an assignment email notification. |
Assign to user workflow
Unlike the other bulk actions, Assign to user requires additional configuration. Configure as follows:
1. From Assign To, select a user.
2. From Due Date, select a date.
3. (Optional) Enter a message.
4. Select Save.
5. Select Save.
Filter Sub-Control List¶
Filter the list of Sub-Controls displayed to see only the pertinent ones.
1. Go to Current Assessment > All Controls.
2. Select Filter.
3. Make the desired filter selections.
4. Select Filter to narrow down the list of Sub-Controls displayed.
Download Report¶
This report includes only the Sub-Controls your organization has started working on and provides the following information:
- Control
- Question No.
- Question Title
- Question Description
- Four Scoring Categories
- Completed By, Validated By, and Assigned To users
- Evidence Docs (Yes/No)
Note
"Question" is synonymous with Sub-Control, in this context.
To download the report:
1. Go to Current Assessment > All Controls.
2. Select Download.
3. Save the XLSX report in your desired location.
Control View¶
View detailed information about a Control and work on its Sub-Controls.
Go to Control View¶
- From Dashboard, select a Control.
Performance Snapshot¶
View performance metrics for the Control.
| Metric | Description | Calculation |
|---|---|---|
| Control Average Score | The average score of the Control's applicable Safeguards | Sum of Control's applicable Safeguard scores divided by Number of Control's applicable Safeguards |
| Control Industry Average Score | The average assessment score for the organization's industry | Sum of Assessment Averages for Organizations in Industry divided by Number of Organizations in Industry |
| Percentage Completed | Percent of the Control's applicable Safeguards completed | |
| Percentage Validated | Percent of the Control's applicable Safeguards validated | |
| Assessment Average | The score for the whole assessment | Sum of Validated and Applicable Control Averages* divided by Number of Applicable Controls |
Task Information¶
Additional task information can be found to the right of the workflow actions.
| Field | Description |
|---|---|
| Asset Type | The type of asset to which the Sub-Control applies (e.g., data, devices, documentation, etc.). |
| Security Function | The security function identified for the Sub-Control. These functions are based on those used in the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. |
| Assigned By | The user who assigned the task. |
| Completed By | The user who completed the task. |
| Validated By | The user who validated the task. |
Tip
If you select the user, you will go to their profile.
Set Applicability¶
1. From Dashboard, select a Control.
2. For a Sub-Control, turn on/off Applicable to make the Safeguard applicable or not.
Note
A task that is not applicable cannot be scored and workflow actions for it will not be available.
Add Tags¶
Tags act as an additional filter selection, allowing you to further narrow down Sub-Controls lists.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Enter as many tags as desired.
Note
Use spaces to separate tags.
4. (Optional) Select a color for the entered tags.
5. When finished, select Add or the Enter key.
Deleting tag from Sub-Control
Select the Delete icon on the tag to delete the tag from the Sub-Control. If added to other Sub-Controls, the tag will still be available.
Score Sub-Control¶
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Select the appropriate scoring options from the scoring category dropdowns.
Tip
Refer to the Understanding Scoring section for a detailed explanation on how scores and assessment averages are calculated.
The score automatically saves when the selection is changed.
Assign/Reassign User to Task¶
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Select the Assign icon .
4. Configure as follows:
- Assign to: Select an organization user to whom the task will be assigned.
- Due Date: Select a new due date for the task.
- Comment: (Optional) Enter a message to include with the reassignment notification.
4. Select Assign.
The task will then appear in the user’s Assigned Tasks. Also, an assignment email with the optional comment is sent to the assignee.
Remind Assignee¶
Remind an assignee to complete a task via email.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Select the Remind icon .
4. Enter an optional comment.
4. Select Remind to email the assignee about the task.
Unassign User from Task¶
Unassign users from tasks that have been assigned to them but not completed.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Next to Assigned to, select the Unassign icon to the right of the assignee's name.
Complete Task¶
Complete tasks after they have been scored. Completed tasks are ready to be reviewed and either sent back or validated.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Select Complete Sub-Control.
The Sub-Control is now ready for validation.
Note
The user who completes an unassigned task is automatically assigned to it.
Send Back Task¶
Send back completed tasks to reassign them or request evidence. If a task is sent back, it will return to the Assigned Tasks list for the assignee and be removed from the Pending for Validation Tasks list for the assignor.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Select Send Back.
4. (Optional) Enter a comment explaining why you are sending back the completed Sub-Control.
5. Select Yes.
An email update will be sent to the assignee and, if different, the user who completed the Sub-Control.
Validate Task¶
Once a task is completed, you can validate it. Validation locks the scoring dropdown and ability to upload evidence files.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Select Validate.
Validating a task automatically updates the assessment average, Control average, and Control validated.
Revert Validation for Task¶
Once a task is validated, you can revert that validation. Reverting a validation to unlock the scoring dropdown and the ability to upload evidence files. Reverting a validation will also add the task back to the Pending for Validation Tasks list for the assignee.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Select Revert validation.
4. Select Revert.
Upload Evidence Files¶
Upload evidence to the task to justify your score.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Select the Upload icon .
4. Select Choose file.
5. Select the file to upload.
File restrictions
The max file size allowed is 5MB. The allowed file extensions are PDF, DOC, DOCX, RTF, PPT, PPTX, XLSX, TXT, PNG, JPEG, JPG, and GIF.
6. Select Upload to confirm.
Download Evidence Files¶
If evidence files have been uploaded to the task, they will be listed under Evidence docs.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Select the name of an evidence doc.
4. Select a location to save the evidence file.
Delete Evidence Files¶
Deleted evidence files cannot be recovered.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Select the Delete icon to the left of the evidence file.
Add Note¶
Add notes to the Notes section for reminders, thoughts, and other information that do not require discussion.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Go to the Notes tab.
4. Enter your note and select Add a note.
Deleting or Editing Notes
The user who wrote the note can delete it by selecting the Delete icon or edit it by selecting the Edit icon .
Add Comment to Discussions¶
Add comments to the Discussions section to communicate with other organization users about a Sub-Control.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Go to the Discussions tab.
4. Enter your message and select Comment.
Note
Comments are limited to 200 characters.
Comments are annotated with the commenter's name and the date/time of submission.
Deleting Comments
The commenter can select the Delete icon to delete their message.
View Logs¶
View a history of all actions taken on a Sub-Control by going to the Logs tab.
1. From Dashboard, select a Control.
2. Expand a Sub-Control.
3. Go to Logs.
Sub-Control View¶
View detailed information about a Sub-Control and work on it.
Go to Sub-Control View¶
There are a number of ways to get to the Sub-Control View:
- Go to Current Assessment > All Controls and then select a Sub-Control from the list.
- Go to Current Assessment > Assigned Tasks and then select a task.
- Go to Current Assessment > Pending for Validation and then select a task.
- Go to Current Assessment > Calendar and then select a task.
Information and Actions¶
The information and actions available here are, for the most part, the same as in the Control View. Refer to that section of the guide for further details and instructions.
Assigned Tasks¶
View and go to tasks assigned to you for scoring or completion.
Go to Sub-Control View¶
1. Go to Current Assessment > Assigned Tasks.
2. Expand the Control and select the Sub-Control.
Pending for Validation¶
View and go to tasks assigned to you for validation.
Go to Task¶
1. Go to Current Assessment > Pending for Validation.
2. Expand the Control and select the Sub-Control.
Calendar¶
View a calendar with all of your tasks displayed by due date.
Actions¶
- Change Time Increment
- Shift Calendar
- View Workflow Status
- View Task Details
- View More Tasks
- Go to Safeguard View for Task
Change Time Increment¶
1. Go to Current Assessment > Calendar.
2. Select Month, Week, or Day to change the calendar view by time increments.
Shift Calendar¶
- Select the arrows to move forward or backward by a month, week, or day depending on the current view.
- Select today to return the calendar to the current day.
View Workflow Status¶
The tasks have checkmarks to indicate their status in the workflow:
- A single checkmark indicates the task has been completed but not validated.
- Two checkmarks preceding the task indicates the task has been validated.
- No checkmark indicates that the task has not yet been completed.
View Task Details¶
1. Go to Current Assessment > Calendar.
2. Hover over a task on the calendar to view:
- Control #
- Question
- Assigned To user
- Assigned By user
- Completed By user
- Validated By user
Go to Sub-Control View for Task¶
1. Go to Controls Console or an Organization Info page and select the assessment name or Go to Assessment Dashboard icon for the assessment.
2. Go to Calendar.
3. Select a task to go to its Sub-Control View.
Understanding Scoring¶
This section provides guidance on scoring categories, how the assessment score is calculated, and the score legend.
Scoring Categories¶
| Scoring Category | Description |
|---|---|
| Policy Defined | To what degree is this Sub-Control covered by your organization’s policies? |
| Control Implemented | To what degree has your organization implemented this Sub-Control? This can factor in coverage (such as what percentage of the machines in your organization have this Sub-Control implemented) and/or level of implementation (for instance, all machines in your organization could have the Sub-Control partially implemented). |
| Control Automated | To what degree does your organization enforce this Sub-Control through automated means vs. manual/procedural means? |
| Control Reported | To what degree is the state of this Sub-Control being reported within your organization, generally to leadership or management? Are updates on the state of that Sub-Control's implementation getting to where they need to go (to the decision makers who can act on them, to those who can decide if the organization needs to invest more to improve that Sub-Control's implementation in order to reduce risk, to meet any reporting requirements the organization has including requirements from organizational policies or from regulatory requirements, etc.)? |
Calculate Score¶
Each scoring category has six score options. Policy Defined, for example, has the following score options:
| Score Options | Point Value (in Percent) |
|---|---|
| No Policy | 0 |
| Informal Policy | 25 |
| Partial Written Policy | 50 |
| Written Policy | 75 |
| Approved Written Policy | 100 |
| Not Applicable | Not included in calculation |
Each Sub-Control is scored based on the average of the scoring options chosen. The overall score for the Control is the average of its Sub-Control's scores. Finally, the score for the whole assessment is the average score of all scores for the Controls.
Score Legend¶
As the assessment is completed, the colors of the Controls will change based on the score:
CIS Controls¶
The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who develop the CIS Controls come from a wide range of sectors including retail, manufacturing, healthcare, education, government, defense, and others.
The CIS Controls v8.0 consists of 18 top-level Controls that serve as categories to house 153 Safeguards. Each CIS Safeguard is a specific action that can be implemented or activity that can be performed to improve an organization’s cyber defense program. The previous version of the CIS Controls, v7.1, consists of 20 top-level Controls that serve as categories to house 171 Safeguards.
To download the CIS Controls and see the other companion resources that are available, please visit the CIS Controls.
Implementation Groups¶
In v7.1 of the CIS Controls, Implementation Groups (IGs) were introduced. Implementation Groups put the CIS Safeguards (known as CIS Sub-Controls prior to CIS Controls v8) into 3 groups to help organizations prioritize which Safeguards to implement first. CIS recommends that all organizations implement IG1, as the IG-1 Safeguards represent essential cyber hygiene. Based on the resources available to the organization, as well the criticality of the data and services that the organization needs to protect, the organization can determine whether they should also implement additional Safeguards from IG-2 and IG-3. Each Implementation Group builds on the lower Implementation Groups; thus an organization implementing IG-2 should also implement IG1, and an organization implementing IG-3 should implement all three Implementation Groups.
The following are some general guidelines to help organizations determine which Implementation Groups are right for them:
IG-1¶
Organizations with limited resources where the sensitivity of data is low will need to implement the Safeguards that typically fall into the IG1 category.
IG-2¶
Organizations with moderate resources and greater risk exposure for handling more sensitive assets and data will need to implement the IG-2 Controls along with IG-1. These Safeguards focus on helping security teams manage sensitive client or company information.
IG3¶
Mature organizations with significant resources and high risk exposure for handling critical assets and data need to allocate the Safeguards under the IG-3 category along with IG-1 and IG-2. The Safeguards that help reduce the impact targeted attacks from sophisticated adversaries typically fall into IG-3.
A useful reference that lists all of the CIS Safeguards and which Implementation Group they belong to (for CIS Controls v7.1) can be found at: CIS Controls v7.1 Implementation Groups Reference.