![]() You can download your copy of the workbook here.Īs well as the initial assessment tool (on which my own was based) at AuditScripts. That is probably enough backstory and description to get you started. The point is to have a roadmap with a prioritized list of action items (based on a trusted security framework) that can be reported back to the business–and in that regard, I think this works nicely. You should make an effort to address each of the controls to at least IG1, but very few small or mid-sized orgs would be willing to spend the $ to complete IG3–and that’s okay. As well, plan to complete the Basic controls (ID #1-6) before proceeding to the Foundational (ID #7-16) and finally Organizational (ID #17-20). to complete IG2 you must also complete IG1). The CIS Benchmarks are prescriptive configuration recommendations for more than 25+ vendor product families. But when you are prioritizing the work, it is recommended to approach implementation in the following order: Focus on IG1 before proceeding to IG2 (i.e. Once you answer all of the questions for your organization, you’ll see lots of holes and opportunities to provide valuable improvements. It is far from being a perfect tool, and not even as complete as the AuditScripts workbook on which it is based, but I think it is an easy one to adopt and understand for those working to move their customers further into Microsoft 365. After all, just because you cannot address a risk with Microsoft 365 does not mean that it doesn’t exist. ![]() However, I have still included some descriptions for each of the controls regardless, borrowing heavily from CIS documentation. For example some controls pertain to software development practices or networking security technologies. A keen eye will notice that not all of the CIS controls can be addressed purely within Microsoft 365. I copied this idea and general format into a simple, one-page spreadsheet that contains some specific recommended actions for Microsoft 365, specifying the features or settings to implement for each Implementation Group. “ Approved written policy.” In turn these responses roll up into some nice reporting and a dashboard that does a really nice job of illustrating an organization’s maturity and currently accepted risk level. All of these responses have varying degrees of “completeness” that you can choose from such as “ Informal policy” vs. Image credit: Center for Internet Securityįor each group, you have a set of recommended actions or “to-do’s.” Using the tool you can report on whether the control is implemented, whether there is a policy backing the control, and you may indicate whether you have this control automated and reported to the business. The workbook goes into good detail on each of the 20 critical controls laid out by CIS, in three separate “Implementation Groups” (IGs). It’s wonderful, and I encourage you to check it out. One extremely valuable resource that I like to use is a free “Initial Assessment” tool published by AuditScripts. The best way to do this is to perform an initial assessment against a standardized and reputable security control framework such as the NIST Cyber Security Framework (CSF) or the Center for Internet Security (CIS). In other words, you want to be able to highlight the risks that they are choosing to accept by not spending that extra money. Besides being able to paint a picture of “what good looks like” for stakeholders on a conceptual level, you also need to clearly illustrate the risks that their business faces. Please see this post for more details.Įspecially in the small and mid-sized enterprise space, it can be very difficult to persuade customers to spend additional money on their technology investments “because security.” Therefore, education is an important part of your job as an advisor in this area. The YAML file cis-benchmarks.yaml is the YAML representation of the CIS Benchmark guideline for each Subcategory.Note: I have updated this workbook to reflect changes in v8 of the CIS Controls framework.In nearly all cases, the recommendation is to turn off auditing for these settings. The recommended settings for these Subcategories are based on the logging volume for these events, versus the security value. Some tests are included here which were not included in the CIS guide.If you would like to see WinRM (or other) connection types, let me know or send a PR. SSH is included with Windows Server 2019, it just has to be enabled. ![]()
0 Comments
Leave a Reply. |