CIS Controls Simple Assessment Tool for Microsoft 365 Environments

Instructions - Read me first.

This tool is based on the CIS Controls Initial Assessment Tool by AuditScripts. The purpose of this tool is to provide organizations with a simple method for performing an initial assessment of their
information assurance maturity level (with an emphasis on productivity environments managed within Microsoft 365); the assessment is based on the controls defined by the CIS Controls and the Council on
Cybersecurity. Any questions about how this tool works or suggestions can be directed to alex@itpromentor.com. In order to use this tool, the assessor must only complete the answers to the drop down
menu questions in the columns labeled Policy Status and Implementation on the M365Controls worksheet. By choosing a drop down choice for each critical control, the assessment tool will automatically
generate a percentage complete based on the answers to each question. These scores can therefore be used to measure the organization's progress and what percentage of the CIS Controls they are
currently following with regard to Microsoft 365 and other common aspects of supporting information technology infrastructure. Ideally in the long term organizations would deploy tools that would
automate the collection of this information, but in the meanwhile, this tool can be used to help start the process of manually assessing an organization's maturity level. Note: this is not a complete
representation of the sub-controls contained in the actual CIS Controls Documentation; use the AuditScripts tool for a more comprehensive assessment against all systems.

Field Definitions
Control Category CIS Controls are broken into three categories: Basic, Foundational and Organization, as described in the CIS Controls documentation.
ID This is the ID number of the specific CIS Control as included in the CIS Controls documentation.
CIS Control Description This is the description behind each control as defined by the CIS Controls documentation.
Implementation Groups (IG) This defines three implementation groups that relate to each individual sub-control; these are meant to be cumulative (to complete IG2 you also must complete IG1).
Implementation Group Detail Suggested corresponding Microsoft 365 product features to implement for each sub-control (and non-Microsoft 365 items as appropriate).
Policy Status This question determines whether the organization currently has a policy defined that indicates that they should be implementing the defined sub control.
Implementation This question determines whether or not the organization currently has implemented this sub control and to what degree the control has been implemented.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Controls Simple Assessment Tool for Microsoft 365 Environments

Overall Risk Addressed Implementation Group 1 Implementation Group 2 Implementation Group 3

By Alex Fields, ITProMentor.com
Updated May 2020

Overall Risk Addressed: 0%

Overall Risk Accepted: 100%

Control
ID CIS Controls CIS Control Description IG Implementation Group Detail Policy status Implementation
Category

1 Inventory and Control of Hardware Assets
Actively manage (inventory, track, and correct) all
hardware devices on the network so that only authorized
devices are given access, and unauthorized and
unmanaged devices are found and prevented from gaining
access.
Enroll devices into Intune, and configure Device cleanup rules to regularly
1 No Policy Not Implemented
remove stale, inactive devices from inventory.
Use Conditional Access to require compliant devices (this blocks
2 unmanaged / non-compliant devices). No Policy Not Implemented
Auto-update inventory when network devices are added or removed.
3 Prevent unauthorized devices from connecting to corporate networks by No Policy Not Implemented
implmenting technologies such as 802.1x, client certificates, etc.

Maintain a list of approved apps; leverage Cloud App Discovery to identify

2 Inventory and Control of Software Assets
1 unsanctioned apps in use in the environment; on a regular basis, block or No Policy Not Implemented
remove these apps.
Actively manage (inventory, track, and correct) all
software on the network so that only authorized software
Enable integeration between Microsoft Cloud App Security and Microsoft
is installed and can execute, and that all unauthorized and 2 Defender ATP to auto-block unsanctioned cloud apps. No Policy Not Implemented
unmanaged software is found and prevented from
installation or execution.
Impelment application whitelisting by enabling Microsoft Defender
3 Application Control. Combine with AppLocker for further coverage. No Policy Not Implemented

1 Configure Software updates via Intune for Windows and Office. No Policy Not Implemented

Continuously acquire, assess, and take action on new Implement patching system for third-party software packages. Use Threat
3 Continuous Vulnerability Management information in order to identify vulnerabilities, remediate, 2 & Vulnerability Management (TVM) in Microsoft Defender ATP to track No Policy Not Implemented
and minimize the window of opportunity for attackers. and remediate CVE's on your endpoints.

B Regularly run vulnerability scans against internal and external corporate

3 networks to identify known vulnerabilities and remediate them according No Policy Not Implemented
A to priority based on CVSS score.
S
Use dedicated admin accounts that are not enabled for email, etc. Enable
I 1 Security Defaults or equivalent Conditional Access policies. Review No Policy Not Implemented
C privileged roles and keep only 2-4 global admin accounts.
The processes and tools used to
track/control/prevent/correct the use, assignment, and Remove local administrative privileges on workstations for all users (e.g.
4 Controlled Use of Administrative Privileges configuration of administrative privileges on computers,
2
deploy Windows 10 PC's via Intune using Autopilot).
No Policy Not Implemented

networks, and applications.

Implement Azure AD Privileged Identity Management; configure custom
3 alert policies in Microsoft Cloud App Security for administrative activity No Policy Not Implemented
and logon from non-corporate IP addresses.

5 Secure Configuration for Hardware and Software
Deploy Endpoint security profiles via Intune; implement MAM using App
1 No Policy Not Implemented
Establish, implement, and actively manage (track, report protection policies and App configuraiton policies for mobile.
on, correct) the security configuration of mobile devices,
laptops, servers, and workstations using a rigorous Use Conditional Access to require compliant devices; for mobile devices,
configuration management and change control process in
2
also require approved apps.
No Policy Not Implemented

order to prevent attackers from exploiting vulnerable

services and settings. Automatically enforce security configuration settings on servers and
3 network devices; implment monitoring system to alert when unauthorized No Policy Not Implemented
changes occur on network devices and servers.

Enable the Office 365 Unified audit log; enable the Alert policies. Ensure
1 No Policy Not Implemented
that logging has been enabled on all systems and networking devices.

6
Maintenance, Monitoring, and Analysis of Audit Collect, manage, and analyze audit logs of events that 2
Deploy Security Information and Event Management (SIEM) system such
as Azure Sentinel for log correlation and analysis; on a regular basis, No Policy Not Implemented
Logs could help detect, understand, or recover from an attack. review logs to identify abnormal events.

Tune SIEM to better identify actionable events and decrease noise;

3 configure automation where possible; for additional detections implement No Policy Not Implemented
Microsoft Threat Protection.

Enable Email authentication (SPF, DKIM, & DMARC). Configure Exchage

1 No Policy Not Implemented
Online Protection for spam & malware fitlering. Implement DNS filtering.

Minimize the attack surface and the opportunities for Enable Office 365 Advanced Threat Protection policies; use Intune to
7 Email and Web Browser Protections attackers to manipulate human behavior through their 2 deploy approved client apps (e.g. Edge, Oulook from Office 365). Do not No Policy Not Implemented
interaction with web browsers and email systems. allow unapproved apps for email and web browsing.

Implement Microsoft Defender Application Guard for Edge. Configure

3 No Policy Not Implemented
Web content filtering via Microsoft Defender ATP.

Enable Microsoft Defender Antivirus; always require removable media

1 scanning; use Intune Administrative templates to disable autoplay for No Policy Not Implemented
removable media.
Control the installation, spread, and execution of
malicious code at multiple points in the enterprise, while Enable Microsoft Defender Exploit Guard features such as Network
8 Malware Defenses optimizing the use of automation to enable rapid updating
2 Protection, Controlled Folder Access and Attack Surface Reduction. No Policy Not Implemented
of defense, data gathering, and corrective action
Deploy Microsoft Defender ATP; send all malware detection events to
3 Microsoft Defender ATP for analysis and reporting. No Policy Not Implemented

Configure Windows Firewall via Intune Endpoint security profiles;

1 explicitly deny all inbound traffic by default on end use systems. No Policy Not Implemented

Manage (track/control/correct) the ongoing operational

9 Limitation and Control of Network Ports
use of ports, protocols, and services on networked devices Perform automated port scans on a regular basis against all systems and
in order to minimize windows of vulnerability available to
2 alert if unauthorized ports are detected on a system. No Policy Not Implemented
attackers.
Place application firewalls in front of any critical servers to verify and
3 validate the traffic going to the server. Any unauthorized traffic should be No Policy Not Implemented
blocked and logged.

Enable the OneDrive backup feature for known folders such as

1 Documents, Desktop and Pictures. Implement Retention policies. No Policy Not Implemented

The processes and tools used to properly back up critical Consider third-party cloud backup for custom RPO, RTO, etc.; all other
10 Data Recovery Capability information with a proven methodology for timely 2 systems should be backed up automatically with at least one copy No Policy Not Implemented
recovery of it. available offline (not accessible from the network).

3 Test all restore procedures regularly to ensure backup integrity. No Policy Not Implemented

Install the latest stable version of any security-related updates on all

1 No Policy Not Implemented
Establish, implement, and actively manage (track, report network devices.
F on, correct) the security configuration of network
infrastructure devices using a rigorous configuration Maintain documented security configurations for all authorized network
O 11 Secure Configurations for Network Devices 2 devices; perform administration of network devices over an isolated No Policy Not Implemented
U management and change control process in order to VLAN, using encrypted sessions (+ MFA if possible).
prevent attackers from exploiting vulnerable services and
N settings. Compare all network device configurations against approved security
D 3 configurations defined for each network device in use, and alert when any No Policy Not Implemented
A deviations are discovered.
T Use a firewall at the boundary of the corporate network to deny
I 1
unauthorized traffic into and out of the network.
No Policy Not Implemented
O
N Detect/prevent/correct the flow of information
Block external communication over Teams/Skype for Business or restrict
A 12 Boundary Defense transferring across networks of different trust levels with 2
communication to specific remote domains.
No Policy Not Implemented
a focus on security-damaging data.
L
Decrypt all encrypted network traffic at the boundary for analysis;
3 configure Azure MFA for use with NPS/RADIUS to authenticate Remote No Policy Not Implemented
Access such as VPN or Remote Desktop.
D
A
T
I
O
N
A
L

Disable auto-forwarding to external domains. Block or limit external

The processes and tools used to prevent data exfiltration,
13 Data Protection mitigate the effects of exfiltrated data, and ensure the
privacy and integrity of sensitive information.
1 storage providers in Teams. Block or enforce expiry of anonymous links. No Policy Not Implemented
Enforce device encryption using Intune.
Identify, protect and dispose of data in a timely manner using Retention &
2 Sensitivity labels. Use Office 365 Message Encryption to protect sensitive No Policy Not Implemented
emails. Enable Office 365 Data Loss Prevention.

Enable Microsoft Cloud App Security to monitor and govern activity in

3 cloud apps (including third-party). Enable Cutstomer Lockbox feature. No Policy Not Implemented

Manage collaboration and sharing settings; e.g. external sharing settings

1 for sensitive sites, restricting who has the ability to create Groups and No Policy Not Implemented
The processes and tools used to grant permissions to sensitive data, etc.
track/control/prevent/correct secure access to critical
assets (e.g., information, resources, systems) according to Implement data classification and Sensitivity labels to enforce visual
14 Controlled Access Based on the Need to Know the formal determination of which persons, computers,
2 marking, data encryption and permissions. Limit access on unmanaged No Policy Not Implemented
devices with Conditional Access.
and applications have a need and right to access these
critical assets based on an approved classification. Implement automatic discovery and labeling of sensitive data for both
3 retention and sensitivity. No Policy Not Implemented

Implement AES encryption and ensure that personal and guest WiFi
1 networks are segmented and separate from corporate networks. No Policy Not Implemented

The processes and tools used to

track/control/prevent/correct the secure use of wireless Push WiFi profiles via Intune; maintain inventory of WiFi Access Points; on
15 Wireless Access Control local area networks (WLANs), access points, and wireless
2 a regular basis, scan for and remove unauthorized WAPs from the No Policy Not Implemented
network.
client systems.
Disable all wireless communication methods including Bluetooth and NFC
3 unless there is a legitimate business purpose. Restrict managed WiFi No Policy Not Implemented
capable devices from joining other wireless networks.

Enable Seucrity Defaults or equvialent Conditional Access policies to

1 enforce MFA. Disable legacy authentication. Regularly review user No Policy Not Implemented
accounts and disable any stale, inactive or unknown accounts.
Actively manage the life cycle of system and application
accounts – their creation, use, dormancy, deletion – in Enable SAML-based Single Sign-On (SSO) to Azure AD for third-party apps
16 Account Monitoring and Control order to minimize opportunities for attackers to leverage
2 wherever possible. Ensure all sign-in audit data is captured by a SIEM such No Policy Not Implemented
as Azure Sentinel.
them.
Monitor abnormal account behaviors using Azure ATP, Azure AD Identity
3 Protection & Microsoft Cloud App Security; integrate third-party HR No Policy Not Implemented
systems to automate terminated user account expiry.

Require staff to participate in a security awareness program and train

Identify the specific knowledge, skills, and abilities needed
Implement a Security Awareness and Training to support defense of the enterprise; develop and execute
17 an integrated plan to assess, identify gaps, and remediate
Program through policy, organizational planning, training, and
awareness programs.
1 No Policy Not Implemented
them to recognize cybersecurity threats and report incidents.
Ensure that the organization's security awareness program is updated
2 No Policy Not Implemented
frequently (at least annually) to address new technologies, threats,
standards, and business requirements.
Perform regular gap analysis including the Office 365 Attack Simulator,
3 reporting results to management, and deliver more specific training to No Policy Not Implemented
address the skills and behaviors gaps identified.

Do not allow standard users to register apps or grant app permissions in

1 No Policy Not Implemented
O Azure AD. Enable the Admin approval workflow.
R Manage the security life cycle of all in-house developed Use secure coding practices for software developed in-house; maintain
G 18 Application Software Security and acquired software in order to prevent, detect, and 2 separate environments for production and dev systems, use only current, No Policy Not Implemented
A correct security weaknesses. standard and accepted hardening practies and configurations.
N
I Apply static and dynamic analysis tools to verify that secure coding
3 No Policy Not Implemented
practices are being adhered to for internally developed software.
Z
A Create a written Incident Response policy with designated individuals (and
T 1 backups), including third-party contacts, and educate the incident No Policy Not Implemented
Protect the organization’s information, as well as its response team members about their roles.
I reputation, by developing and implementing an incident
O response plan for quickly discovering an attack and then Raise awareness about cyber incident response for other staff members;
N 19 Incident Response and Management effectively containing the damage, eradicating the
2 practice incident response excercises, including tracking and recording all No Policy Not Implemented
remediation steps, decision making, etc.
A attacker’s presence, and restoring the integrity of the
L network and systems. Implement incident scoring and prioritization system; implement
3 No Policy Not Implemented
processes to enforce continuing improvement.

1 Conduct regular exernal and internal scans to identify known vulnerabilites. No Policy Not Implemented

Test the overall strength of an organization’s defense (the Conduct regular external and internal penetration tests to identify
20 Penetration Tests and Red Team Exercises technology, the processes, and the people) by simulating 2 vulnerabilities and attack vectors that can be used to exploit enterprise No Policy Not Implemented
the objectives and actions of an attacker. systems successfully (including technical and social vulnerabilities).

Perform periodic Red Team exercises to test organizational readiness to

3 identify and stop attacks or to respond quickly and effectively. No Policy Not Implemented

Risk addressed Risk accepted

Total controls implemented 0% 100%
Total IG1 controls implemented 0% 100%
Total IG2 controls implemented 0% 100%
Total IG3 controls implemented 0% 100%
Total policy status 0% 100%
GRAND TOTAL 0% 100%

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
DO NOT CHANGE THESE VALUES

Policy Status
No Policy
Informal Policy
Partial Written Policy
Written Policy
Approved Written Policy

Implementation Status
Not Implemented
Parts of Policy Implemented
Implemented for Pilot
Moving to Production
Implementation Completed