Audits are an integral part of good governance in that they help you to objectively evaluate processes, controls, and risks within your organization. Simultaneously, assessments are tools that you can use to measure the effectiveness of these elements. Assessments provide valuable insights and evidence to support the audit process. In essence, assessments and governance audits are two sides of the same governance coin, working in tandem to ensure the credibility and integrity of your organization.
In this blog post, I’ll discuss how assessments naturally complement your audits. I’ll also explain how you can use benefits, resources, and tools of a CIS SecureSuite Membership to conduct assessments in support of your audits.
Below are four reasons why assessments are key to successful audits.
Assessments act as a spotlight, uncovering risks that might have gone unnoticed. They help you to identify gaps in your organization's processes, systems, or controls that could lead to non-compliance with regulations or standards, financial discrepancies, or even reputational damage. By identifying these risks early through assessments, you can preemptively take action to mitigate them, enabling smoother and more effective audits.
Quick tip: When you’re looking to unveil hidden risks, make sure that you break down the requirements. You might feel tempted to go straight to addressing high-level requirements, but to be effective, you need to spend some time exploring the details and understanding the technical elements.
An integral part of any audit is verifying compliance with relevant laws, regulations, and standards. Assessments provide the necessary evidence to demonstrate this compliance, showing that controls are not just in place but are also effectively addressing the intended risks. Furthermore, assessments can verify that processes are working and achieving their objectives. They offer a methodical way to validate the efficacy of your organization's operations and governance, supporting the audit findings.
Assessments don't just provide a snapshot of the current state of affairs; they also offer insights into potential areas for improvement. By identifying weaknesses and areas of non-compliance, assessments can guide strategic decisions on where to allocate resources to improve processes and controls. This continual improvement is beneficial for achieving strategic objectives and is also looked upon favorably in audits, demonstrating a proactive commitment to good governance.
Assessments encourage accountability throughout your organization. They demand involvement from all levels, from executive management to frontline staff, promoting a shared responsibility for governance and compliance. This culture of accountability is a significant asset during audits, as it demonstrates that governance is not just a management concern but is also embedded throughout your organization.
Quick tip: If you’re looking to develop a culture of accountability from scratch, you might want to consider sitting down with business owners and stakeholders to develop a Responsible Accountable Consulted Informed (RACI) matrix. In doing so, you’ll be able to specify everyone’s responsibilities and identify the true owners of a governance audit at your organization.
CIS SecureSuite provides you access to two assessment tools: the pro version of the CIS Controls Self Assessment Tool (CIS CSAT Pro) and the pro version of the CIS Configuration Assessment Tool (CIS-CAT Pro). Both will help you take a strategic approach to implementing CIS security best practices. They will also save you time and money when preparing for an audit.
Let’s look at how these tools satisfy the four benefits of assessments discussed above.
Both CIS CSAT Pro and CIS-CAT Pro can help you identify where you can strengthen your cybersecurity maturity. The former helps you track your implementation of the CIS Critical Security Controls (CIS Controls), vendor-agnostic security measures which you can use to strengthen your cyber defenses. With CIS CSAT Pro, you can determine which Controls you’ve already enacted, identify security gaps, and map out future implementation efforts before your next audit.
It’s a similar story for CIS-CAT Pro. This tool enables you to automate scans of your systems’ settings against the recommendations of the CIS Benchmarks, secure configuration guidelines developed by IT professionals around the world using a consensus process. Using CIS-CAT Pro and its HTML output report, you can see to which recommendations each of your operating systems align. You can then identify steps that you can use to further harden your systems in preparation for an audit.
The CIS Controls and CIS Benchmarks map to numerous security regulations and frameworks. This is by design. You can use these mappings to implement the Controls and Benchmarks in a way that not only accords with your unique needs but also fulfills your compliance objectives at the same time. You can therefore implement our security best practices once and not worry about duplicating your efforts.
Here’s a look at where you can save time and money with your compliance efforts using the CIS Controls and CIS Benchmarks.
As discussed above, CIS CSAT Pro and CIS-CAT Pro help you to streamline your implementation of the Controls and the Benchmarks, respectively. They simplify your compliance program even further by reducing manual effort (in the case of CIS-CAT Pro), improving your visibility, and providing you with resources to plan for the future. In that sense, they empower you to take a proactive approach to your audits by planning and building upon your compliance objectives.
The same can be said about assessing your risks. With CIS CSAT Pro specifically, you can focus on the strategy of evaluating your cybersecurity posture against the Controls using the CIS Risk Assessment Method (CIS RAM) v2.1. This is important, as you may need to communicate this strategy and demonstrate how you’ve taken “due care” in the event of a security incident. CIS CSAT Pro helps you to formalize your risk assessments; you’re able to document what you’ve done and why those controls are “reasonable” based upon your understanding of the risks at you organization.
Learn more about how to demonstrate reasonableness with CIS RAM v2.1:
With CIS CSAT Pro and CIS-CAT Pro, you don’t need to stop assessing your cybersecurity posture. You can continue to evaluate your systems and data to identify how you can continue to grow.
Take CIS CSAT Pro. It lets you prioritize your implementation of the Controls, which are themselves prioritized into three Implementation Groups (IGs). If you’re new to the Controls, you can begin by enacting Implementation Group 1 (IG1) and laying a foundation of essential cyber hygiene in the process. From there, you can use CIS CSAT Pro to work your way through relevant CIS Safeguards in Implementation Group 2 (IG2) and Implementation Group 3 (IG3) in a way that works with your security requirements, your evolving technology, and the changing threat landscape facing your organization.
CIS-CAT Pro provides similar functionality. Each scan yields insight into how you can harden the settings of your operating systems in ways that will more closely align them to the security recommendations of the CIS Benchmarks and to your unique needs. CIS Benchmarks come in three different configuration profiles – Level 1 (base hardening), Level 2 (for defense-in-depth), and versions that include all recommendations set forth in the Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG). As a result, you can use CIS-CAT Pro to gauge your hardening efforts based upon the level of security you need for each of your systems.
Finally, you can use the functionality of CIS CSAT Pro and CIS-CAT Pro to engage your team and stakeholders ahead of the next audit. CIS CSAT Pro enables you to assign implementation tasks to your team members and communicate timelines to your stakeholders so that everyone can collaborate on preparing for the next audit. Along those same lines, CIS-CAT Pro comes with a Dashboard component that graphically displays your scan results over a recent period of time. You can use these results to coordinate with team members, frame your results and goals in a business context, seek executive buy-in for future hardening, and map out the next steps for securely configuring your systems.
Assessments are a vital tool in the governance toolbox. They unlock the full potential of audits by revealing risks, verifying compliance and effectiveness, facilitating continuous improvement, and promoting a culture of accountability. Essentially, they transform audits from a necessary obligation into a strategic asset. By understanding the symbiotic relationship between assessments and audits, you can leverage both to their full potential, achieving compliance, improved governance, reduced risk, and enhanced performance along the way.
In the next blog post, I’ll switch my focus from governance to risk with a discussion around the importance of quantitative risk analysis.
Check out related blog posts:
Sean Atkinson is Chief Information Security Officer of CIS. He uses his broad cybersecurity expertise to direct strategy, operations, and policy to protect CIS’s enterprise of information assets. His job responsibilities include risk management, communications, applications, and infrastructure. Prior to CIS, he served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk and Compliance (GRC) across the globe.
Prior to GLOBALFOUNDRIES, Atkinson led the security implementation for the New York State Statewide Financial System (SFS) implementation from 2007 to 2014, and his last role and responsibility was as the Internal Control, Risk and Information Security Manager.
Atkinson was born in Brooklyn, N.Y. and lived in England for 18 years, graduating from Sheffield Hallam University in 2000. After moving back to the United States, he has pursued multiple degrees and certifications in the IT arena.
In addition to his work with CIS, Atkinson is also an adjunct professor of Computer Science at the College of Saint Rose.