CIS18 ReView

Briefly about CIS18 ReView

Based on CIS18, a cybersecurity framework similar to the well-known ISO27xxx and NIST frameworks, we conduct an all-round assessment of both your organizational (who does what?) and technical (how do we do it?) security defenses to uncover strengths and weaknesses. This product includes both interviews and technical tests focusing on where you can increase your resilience, and will result in a report with prioritized recommendations for the immediate near future, as well as an Excel sheet with an overview of your current CIS18 compliance status that you can work on and update as you progress. Which technical tests are performed is individual from customer to customer – we typically take the results from interviews as well as any preferences and input from you as a starting point.
CIS18 is divided into three IGs (implementation groups), where IG1 is what we in the industry call “basic cyber hygiene” and typically it is IG1 that is reviewed unless otherwise agreed.
Note that this is a product that, especially in the first two days of the interview, requires some active participation from your internal resources – more on this in “How a CIS18 ReView works”.
Examples of topics we will touch on are: Logging, Access Control, Vulnerability Management, Access Management, Awareness etc.

How a CIS18 ReView takes place

The ReTest Security consultant sends an email well in advance of the start of the assignment with questions, as well as various materials for preparation before the start, so that time can be used as efficiently as possible. This will also help the company to see which internal resources should be available for the first two days of the interview.

The task is usually structured like this:

• Day 1-2: Interview where the questions in the agreed CIS18 IG(s) are reviewed and Excel sheets are filled in.
• Days 2-4: Technical tests of the topics agreed to focus on during the interviews or that the company would like a more in-depth investigation of. Examples of two typical focus points are: Active Directory (account management, access control, configurations, etc.) or patch management/vulnerabilities in the infrastructure.
• Day 5: The consultant analyzes the data and prepares the report.

How often is a CIS18 ReView performed?

Few organizations have a good maturity at the first review against the CIS controls. That’s why it can be a good idea to do a CIS18 ReView once a year, or if there have been major changes to your own infrastructure and/or major changes in terms of service providers (who does what?).
If your company has prepared a CIS18 IG1 ReView and has largely achieved its goals, it is of course also a good idea to go through the exercise again if you are aiming for IG2 or IG3 to ensure that your company is ready for it.

Next steps

For those who have already worked with IG1/2, but due to expansion, requirements from partners/authorities or similar would like to continue with IG 2/3, the approach will be slightly different. We will start by looking at the work the company has done with IG1/2 as an initial scoping. Where are you at, what future projects do you have (and resources for these projects) and what type of company are you?

The ReTest consultant will use this, as well as data from the interview part, to select the technical tests and to prepare the report, so that the focus is in the right place – to expand the compliance level against the CIS18 controls.

Reporting

In addition to the Excel sheet that is filled out during the interview days, which of course you get to update changes in, the work also results in a report. This report contains, among other things:

• An executive summary that in non-technical terms briefly describes your current IT security level in general and in relation to CIS18 specifically.
• Brief review of each of the controls reviewed and the compliance of the controls. Here the consultant briefly describes the strengths and weaknesses in relation to the compliance of each control, based on data from both interviews and technical tests.
• Review of technical tests, findings and tools used.
• Conclusion
• Option – Roadmap with recommended technical and organizational projects/implementations, prioritized and selected by the consultant based on data from interviews and technical tests.

Depending on what the interview and technical tests confirm or deny, the consultant will typically also send various additional materials for future use. This could be action cards for incidence response, templates for employees to report incidents, best cybersecurity practices for employees, etc. These supplied additional materials are for free use by the customer.