Dashboard¶
Introduction¶
Upon logging in to CIS-Hosted CSAT, you will land on the Dashboard. This page contains assessment information specific to the current user.
This guide covers:
- Managing Current Assessment
- Changing Implementation Groups
- Going to a Control Dashboard
- Understanding Data
Note
Each organization has its own dedicated Dashboard page, so ensure you go to the intended organization by selecting it from Organizations > Intended Organization.
Manage Current Assessment¶
Admins can create new assessments in the organizations that they administer. Each assessment will be open or closed. There can be only one open assessment at a time per organization.
Start New Assessment¶
When finished with the assessment, Admins can close it by starting a new one. Closed assessments can still be viewed through Assessment History, but cannot be edited.
1. Go to Dashboard.
2. Select the green box with the assessment name:
3. Hover over End Current Assessment and select the desired option:
- Start New Blank Assessment: Starts a new blank assessment
- Start New Assessment Using Current Data: Starts a new assessment with the current assessment's data
- Start New Assessment With File Upload: Starts a new assessment using a .xlsx file of a previously exported assessment
4. Enter a name for the assessment and select the Controls version.
5. Select Start.
Rename Current Assessment¶
1. Go to Dashboard.
2. Select the green box with the assessment name and then Rename Current Assessment.
3. Enter a user-friendly, descriptive name for the assessment and select Submit to finish.
Delete Current Assessment¶
1. Go to Dashboard.
2. Select the green box with the assessment name and then Delete Current Assessment.
3. Select Delete to confirm.
Change Implementation Groups¶
What are Implementation Groups?
Implementation Groups (IGs) put the CIS Safeguards (known as CIS Sub-Controls prior to CIS Controls v8) into three groups to help organizations prioritize which Safeguards to implement first.
CIS recommends that all organizations implement IG-1, as its Safeguards represent essential cyber hygiene. Based on the resources available to the organization, as well the criticality of the data and services that the organization needs to protect, the organization can determine whether they should also implement additional Safeguards from IG2 and IG3. Each subsequent IG builds on the lower IGs; thus an organization implementing IG-2 should also implement IG-1, and an organization implementing IG-3 should implement all three IGs.
The Implementation Groups the organization will be assessed against can be changed.
1. Go to Dashboard.
2. From the Implementation Group dropdown, select the Implementation Group(s) to assess your organization against.
Warning
Making this change will set Safeguard applicability to the chosen IG's default settings: IG-1 sets all IG-1 Safeguards as applicable; IG-2 sets all IG-1 and IG-2 Safeguards as applicable; IG-3 sets all IG-1, IG-2, and IG-3 Safeguards as applicable. Any applicability deviating from the chosen IG's default settings will be reset.
3. (If going from a higher to lower IG) Select OK.
The Safeguard applicability for your current assessment will automatically change depending on the IGs selected.
Go to Control Dashboard¶
- To work on a specific Control, select its associated button.
Note
If a button is grey, that means all of the Safeguards in that Control are not applicable.
You will land on that Control's dedicated Dashboard, where you can score, assign, review, etc. its Safeguards.
Understand Data¶
Understanding the data provided is key to assessing, planning, and executing how to eliminate your organization's cybersecurity vulnerabilities.
Performance Snapshot¶
| Metric | Description |
|---|---|
| Organization Average | The assessment average for the organization. Calculated by averaging the scores of all applicable Controls in the assessment. All applicable Sub-Controls within a Control are averaged together to calculate the Control Average Score for that assessment. A Sub-Control's score is calculated based on the applicable scoring categories within that Sub-Control. |
| Industry Average | The assessment average for the organization's industry. The assessment-level Industry Average for that industry is calculated by averaging the organization averages for all of the organizations in that industry. Note: This is different than averaging the Control Industry Average scores for all Controls in that industry. |
| Completion % | The percentage of applicable Controls that have been completed. |
| Validation % | The percentage of applicable Controls that have been validated. |
Using Industry Average Data
While the industry average data can be useful as a point of comparison for your organization, it should not be used to determine when your organization has reached an acceptable level of maturity in your implementation of the CIS Controls; the decision of what is an acceptable level of maturity for the CIS Controls implementation for your organization should be made only after performing a thorough risk analysis for your organization. The industry average information provided is based on the self-assessed industry identification and self-assessed Safeguard scoring of CSAT users; as such, this information is provided as a point of reference, and should not be the basis for organizational decisions.
There are separate industry averages based on which version of the CIS Controls (v7.1 or v8.0) is specified for the assessment.
Monthly Graph¶
A line graph that tracks the organization's average score by month.
The snapshot for the previous month is generally taken on the first day of the following month if the CIS SecureSuite Platform instance is live. For instance, August data will appear on September 1.
Spider Web¶
A radar graph that shows the assessment's average score per Control against the industry average score per Control.
Control Implementation Average Bar Graph¶
A bar graph representing the average for only the Control Implemented scoring category.
The colors of the bars, however, correspond to the average score for that Control (which includes all four applicable scoring categories).
Group Implementation Averages¶
A bar graph representing the average score by IG.
Maturity Level Average Scores and Indices¶
The bar chart and tables provide data on how 'mature' the organization is in its implementation of the CIS Controls. Over time, as the organization bolsters its security measures, its maturity scores should increase.
