Implementing CIS Controls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-17-2022 08:48 AM
I am looking to input CIS Controls into service now as an Authority document, but would like to know your views on how you would pick out the Entity Types and group them with Control Objections. I would like to have the description specific to the entity type. So, ie, Windows supported by Defender, Servers by Symantec, MacBooks by McAfee.
My thinking would be:
CIS V8 Module 10: Malware defences
Entity Types:
Windows Devices
MacBooks
Servers
Cloud Servers
So I have 7 Control Objectives
1. Deploy and Maintain Anti-Malware
2. Configure Automatic Anti-Malware
3. Disable Autorun and Autoplay for removable media
4. Configure Automatic Anti-malware scanning of removable media
5. Enable Anti-Exploitation features
6. Centrally manage Anti-Malware Software
7. Use Behaviour based Anti Malware software
My question is:
Under the control objective do I create duplicate controls for each of the entity types.
ie 1. Deploy and Maintain Anti-Malware: For Windows, 1. Deploy and Maintain Anti-Malware: MacBooks, etc
How would you guys do it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-17-2022 09:10 AM
If all of those 7 control objectives have the same scope, that is, it applies to windows, Macbooks, servers, etc.
Then you would map all Entity types to the 7 control objectives. This will create controls for all the entities of the entity type windows, all the entities of Macbooks of the entity type Macbooks, etc
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-17-2022 09:18 AM
Ok, thank you. Yes, I would like them all to meet the same requirements. If I did this, how would I tell what they are using to meet that requirement?
Ideally I would like to know that they have the control in place but also that say the Windows device is protected by defender. Not using Symantec for example.
Would I amend the control to state that it is controlled by Defender?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-17-2022 12:03 PM
There is an option on the control objective called "Attestation", here you can select the out of box attestation called "GRC Attestatioon"
When you link your entity type to the control objective, control will be created for each entity (example for each window),
The control is initially in the Draft state, when you push the control to Attest state (done by clicking Attest button) a attestation will be assigned to the control owner (in this case owner of the window)
The attestatioon has questions like is the control implemented? attach evidence
If the control owner respond to the assessment saying no to the question, then control will be marked as non compliant, if yes then compliant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-18-2022 01:04 AM
OK, great, thats exactly how I understand it.
But my management would like the control to be more specific.
Having the information in the attestation is not very accessible to my understanding.