CSCv8 Audit Summary (Explore)

Tenable has been certified by Center for Internet Security (CIS) to perform a wide variety of platform and application audits based on the best practice consensus benchmarks developed by CIS. Tenable submits example test cases for all of the criteria within each unique benchmark, and then submits our results to CIS personnel for official certification. Tenable has developed audit files based on the CIS benchmarks tested on systems, and has been approved and certified by CIS staff members. This report provides organizations with information which specifically measures against the compliance standards related to the CIS , Critical Security Controls, Version 8 (CSCv8) is a prioritized set of safeguards mapped to, and referenced by multiple legal, regulatory, and policy frameworks.

The primary goal of the CSCv8 is to mitigate the most prevalent cyber-attacks against  systems and networks. The controls were formerly the SysAdmin, Audit, Network, and Security (SANS) Top 20.  The controls are consolidated by activity, rather than by who manages the devices.  With version 8 of CSC, there are 18 controls.  Those controls are Inventory and Control of Enterprise Assets, Inventory and Control of Software Assets, Data Protection, Secure Configuration of Enterprise Assets and Software, Account Management, Access Control Management, Continuous Vulnerability Management, Audit Log Management, Email and Web Browser Protections, Malware Defenses, Data Recovery, Network Infrastructure Management, Networking Monitoring and Defense, Security Awareness and Training, Service Provider Management, Application Software Security, Incident Response Management, and Penetration Testing.

Information presented within this dashboard includes a summary of CIS audit checks currently supported by Tenable. Results will highlight one of three severity levels that will provide valuable information analysts can use to harden systems within the enterprise. The informational severity level is considered “Passed”, indicating that the configuration setting matches the expected result of the audit check. Results assigned a “Medium” severity must be evaluated by an analyst to determine whether the results are accurate or not. When an audit check fails, the severity is set to “High”, indicating that the collected result and the expected result do not match. Each failure should be reviewed, fixed, and re-scanned to ensure that the system has been secured properly. Using these benchmarks will help to assess the effectiveness of existing security controls on systems, and provide the critical context needed to strengthen an organization's security posture.

Tenable provides several solutions for organizations to better understand vulnerability management. Security leaders need to SEE everything, PREDICT what matters most and ACT to address cyber risk and effectively align cybersecurity initiatives with business objectives. Tenable Vulnerability Management (formerly Tenable.io) discovers and analyzes assets continuously to provide an accurate and unified view of an organization's security posture. The requirements for this dashboard are: Tenable Vulnerability Management.

Widgets:

• Framework Result Summary: This widget provides compliance results (Passed, Warning, Error, Failed) results related to the Center for Internet Security (CIS), Critical Security Controls, Version 8 (CSCv8).
• Control Summary: This widget provides compliance results for each control family within the compliance standard. 
• Audit Check Type Summary: This widget provides compliance results for Windows and Unix hosts within the compliance standard.
• Access Control Management: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Account Management: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Application Software Security: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Audit Log Management: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Continuous Vulnerability Management: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Data Protection: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Data Recovery: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Email and Web Browser Protections: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Incident Response Management: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Inventory and Control of Enterprise Assets: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Inventory and Control of Software Assets: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Malware Defenses: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Network Infrastructure Management: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Network Monitoring and Defense: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Secure Configuration of Enterprise Assets and Software: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Security Awareness and Skills Training: This widget provides details on each of the compliance controls for the compliance family group being referenced. 
• Service Provider Management: This widget provides details on each of the compliance controls for the compliance family group being referenced.