by Cesar Navas
March 6, 2024
Tenable has been certified by Center for Internet Security (CIS) to perform a wide variety of platform and application audits based on the best practice consensus benchmarks developed by CIS. Tenable submits example test cases for all of the criteria within each unique benchmark, and then submits our results to CIS personnel for official certification. Tenable has developed audit files based on the CIS benchmarks tested on systems, and has been approved and certified by CIS staff members. This report provides organizations with information which specifically measures against the compliance standards related to the CIS , Critical Security Controls, Version 8 (CSCv8) is a prioritized set of safeguards mapped to, and referenced by multiple legal, regulatory, and policy frameworks.
The primary goal of the CSCv8 is to mitigate the most prevalent cyber-attacks against systems and networks. The controls were formerly the SysAdmin, Audit, Network, and Security (SANS) Top 20. The controls are consolidated by activity, rather than by who manages the devices. With version 8 of CSC, there are 18 controls. Those controls are Inventory and Control of Enterprise Assets, Inventory and Control of Software Assets, Data Protection, Secure Configuration of Enterprise Assets and Software, Account Management, Access Control Management, Continuous Vulnerability Management, Audit Log Management, Email and Web Browser Protections, Malware Defenses, Data Recovery, Network Infrastructure Management, Networking Monitoring and Defense, Security Awareness and Training, Service Provider Management, Application Software Security, Incident Response Management, and Penetration Testing.
Information presented within this dashboard includes a summary of CIS audit checks currently supported by Tenable. Results will highlight one of three severity levels that will provide valuable information analysts can use to harden systems within the enterprise. The informational severity level is considered “Passed”, indicating that the configuration setting matches the expected result of the audit check. Results assigned a “Medium” severity must be evaluated by an analyst to determine whether the results are accurate or not. When an audit check fails, the severity is set to “High”, indicating that the collected result and the expected result do not match. Each failure should be reviewed, fixed, and re-scanned to ensure that the system has been secured properly. Using these benchmarks will help to assess the effectiveness of existing security controls on systems, and provide the critical context needed to strengthen an organization's security posture.
Tenable provides several solutions for organizations to better understand vulnerability management. Security leaders need to SEE everything, PREDICT what matters most and ACT to address cyber risk and effectively align cybersecurity initiatives with business objectives. Tenable Vulnerability Management (formerly Tenable.io) discovers and analyzes assets continuously to provide an accurate and unified view of an organization's security posture. The requirements for this report are: Tenable Vulnerability Management.
Chapters:
- Executive Summary: This chapter contains three elements which provide a high level overview summarizing results outlined in CIS CSCv8.
- Framework Result Summary: This chapter summarizes all the families outlined in the Center for Internet Security (CIS) , Critical Security Controls, Version 8 (CSCv8).
- Control Summary: This chapter summarizes all the families outlined in CIS CSCv8.
- Audit Check Type Summary: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Access Control Management: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Account Management: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Application Software Security: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Audit Log Management: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Continuous Vulnerability Management: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Data Protection: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Data Recovery: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Email and Web Browser Protections: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Incident Response Management: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Inventory and Control of Enterprise Assets: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Inventory and Control of Software Assets: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Malware Defenses: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Network Infrastructure Management: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Network Monitoring and Defense: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Secure Configuration of Enterprise Assets and Software: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Security Awareness and Skills Training: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- Service Provider Management: This chapter provides details on each of the compliance controls for the compliance family group being referenced.