Implementing CIS Controls

David347 · ‎11-17-2022

I am looking to input CIS Controls into service now as an Authority document, but would like to know your views on how you would pick out the Entity Types and group them with Control Objections. I would like to have the description specific to the entity type. So, ie, Windows supported by Defender, Servers by Symantec, MacBooks by McAfee.

My thinking would be:

CIS V8 Module 10: Malware defences

Entity Types:

Windows Devices

MacBooks

Servers

Cloud Servers

So I have 7 Control Objectives

1. Deploy and Maintain Anti-Malware

2. Configure Automatic Anti-Malware
3. Disable Autorun and Autoplay for removable media

4. Configure Automatic Anti-malware scanning of removable media

5. Enable Anti-Exploitation features

6. Centrally manage Anti-Malware Software

7. Use Behaviour based Anti Malware software

My question is:

Under the control objective do I create duplicate controls for each of the entity types.

ie 1. Deploy and Maintain Anti-Malware: For Windows, 1. Deploy and Maintain Anti-Malware: MacBooks, etc

How would you guys do it?

rajeeshraj · ‎11-17-2022

If all of those 7 control objectives have the same scope, that is, it applies to windows, Macbooks, servers, etc.

Then you would map all Entity types to the 7 control objectives. This will create controls for all the entities of the entity type windows, all the entities of Macbooks of the entity type Macbooks, etc

David347 · ‎11-17-2022

Ok, thank you. Yes, I would like them all to meet the same requirements. If I did this, how would I tell what they are using to meet that requirement?

Ideally I would like to know that they have the control in place but also that say the Windows device is protected by defender. Not using Symantec for example.

Would I amend the control to state that it is controlled by Defender?

rajeeshraj · ‎11-17-2022

There is an option on the control objective called "Attestation", here you can select the out of box attestation called "GRC Attestatioon"

When you link your entity type to the control objective, control will be created for each entity (example for each window),

The control is initially in the Draft state, when you push the control to Attest state (done by clicking Attest button) a attestation will be assigned to the control owner (in this case owner of the window)

The attestatioon has questions like is the control implemented? attach evidence

If the control owner respond to the assessment saying no to the question, then control will be marked as non compliant, if yes then compliant

David347 · ‎11-18-2022

OK, great, thats exactly how I understand it.

But my management would like the control to be more specific.

Having the information in the attestation is not very accessible to my understanding.