Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Insights to Control Framework Mapping: TLS/SSL Certificate Configurations

Ingrid

Refer to the following TLS/SSL Certificate Configurations insights and assessments and how they're mapped to CIS v7 and CIS v8 controls for Control Insights:

Certificates Validated

Certificates can generally be validated against a trusted root Certificate Authority (CA), indicating effective control and management of TLS/SSL configurations.

The ratio of events of type [Untrusted TLS/SSL Certificate] by type [Untrusted TLS/SSL Certificate, TLS/SSL Certificate Good Record] is below 10.0%

Assessment

insight-effective.png Positive

Observations

CIS v8 Controls CIS v7 Controls

Controls

4 Secure Configuration of Enterprise Assets and Software

Safeguards

  • 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
  • 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure

Controls

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards

  • 5.1 Establish Secure Configurations
  • 5.4 Deploy System Configuration Management Tools
  • 5.5 Implement Automated Configuration Monitoring Systems

No Certificates With Insecure Parameters

The lack of TLS/SSL certificates with insecure parameters indicates effective control and management of TLS/SSL configurations

The ratio of events of type [Insecure TLS/SSL Certificate Settings] by type [Insecure TLS/SSL Certificate Settings, TLS/SSL Certificate Good Record] is below 10.0%

Assessment

✓ Positive

Observations

CIS v8 Controls CIS v7 Controls

Controls

4 Secure Configuration of Enterprise Assets and Software

Safeguards

  • 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
  • 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure

Controls

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards

  • 5.1 Establish Secure Configurations
  • 5.4 Deploy System Configuration Management Tools
  • 5.5 Implement Automated Configuration Monitoring Systems

Self-Signed Certificates

The presence of self-signed TLS/SSL certificates exposed to the Internet indicates ineffective and insecure server configurations

At least one event of the following event types was detected: [Self-Signed TLS/SSL Certificate]

Assessment

insight-ineffective.png Negative

Observations

TLS/SSL Certificates

CIS v8 Controls CIS v7 Controls

Controls

4 Secure Configuration of Enterprise Assets and Software

Safeguards

  • 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
  • 4.10 Enforce Automatic Device Lockout on Portable End-User Devices

Controls

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards

  • 5.1 Establish Secure Configurations
  • 5.2 Maintain Secure Images
  • 5.4 Deploy System Configuration Management Tools
  • 5.5 Implement Automated Configuration Monitoring Systems

Cannot Be Validated Certificates

The presence of TLS/SSL certificates that cannot be validated against a trusted root certificate authority (CA) indicates ineffective control and management of TLS/SSL configurations

The ratio of events of type [Untrusted TLS/SSL Certificate] by type [Untrusted TLS/SSL Certificate, TLS/SSL Certificate Good Record] is above 20.0%

Assessment

insight-ineffective.png Negative

Observations

CIS v8 Controls CIS v7 Controls

Controls

4 Secure Configuration of Enterprise Assets and Software

Safeguards

  • 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
  • 4.10 Enforce Automatic Device Lockout on Portable End-User Devices

Controls

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards

  • 5.1 Establish Secure Configurations
  • 5.4 Deploy System Configuration Management Tools
  • 5.5 Implement Automated Configuration Monitoring Systems

Certificates With Insecure Parameters

The presence of TLS/SSL certificates with insecure parameters indicates ineffective control and mismanagement of TLS/SSL configurations.

The ratio of events of type [Insecure TLS/SSL Certificate Settings] by type [Insecure TLS/SSL Certificate Settings, TLS/SSL Certificate Good Record] is above 20.0%

Assessment

insight-ineffective.png Negative

Observations

CIS v8 Controls CIS v7 Controls

Controls

4 Secure Configuration of Enterprise Assets and Software

Safeguards

  • 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
  • 4.10 Enforce Automatic Device Lockout on Portable End-User Devices

Controls

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards

  • 5.1 Establish Secure Configurations
  • 5.4 Deploy System Configuration Management Tools
  • 5.5 Implement Automated Configuration Monitoring Systems
  • April 1, 2025: Published.

Related articles

Feedback

0 comments

Please sign in to leave a comment.