Insights to Control Framework Mapping: TLS/SSL Certificate Configurations Ingrid Refer to the following TLS/SSL Certificate Configurations insights and assessments and how they're mapped to CIS v7 and CIS v8 controls for Control Insights: Certificates Validated Certificates can generally be validated against a trusted root Certificate Authority (CA), indicating effective control and management of TLS/SSL configurations. The ratio of events of type [Untrusted TLS/SSL Certificate] by type [Untrusted TLS/SSL Certificate, TLS/SSL Certificate Good Record] is below 10.0% Assessment Positive Observations TLS/SSL Certificates TLS/SSL Configurations CIS v8 Controls CIS v7 Controls Controls 4 Secure Configuration of Enterprise Assets and Software Safeguards 4.10 Enforce Automatic Device Lockout on Portable End-User Devices 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure Controls 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Safeguards 5.1 Establish Secure Configurations 5.4 Deploy System Configuration Management Tools 5.5 Implement Automated Configuration Monitoring Systems No Certificates With Insecure Parameters The lack of TLS/SSL certificates with insecure parameters indicates effective control and management of TLS/SSL configurations The ratio of events of type [Insecure TLS/SSL Certificate Settings] by type [Insecure TLS/SSL Certificate Settings, TLS/SSL Certificate Good Record] is below 10.0% Assessment Positive Observations DKIM Records TLS/SSL Certificates TLS/SSL Configurations CIS v8 Controls CIS v7 Controls Controls 4 Secure Configuration of Enterprise Assets and Software Safeguards 4.10 Enforce Automatic Device Lockout on Portable End-User Devices 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure Controls 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Safeguards 5.1 Establish Secure Configurations 5.4 Deploy System Configuration Management Tools 5.5 Implement Automated Configuration Monitoring Systems Self-Signed Certificates The presence of self-signed TLS/SSL certificates exposed to the Internet indicates ineffective and insecure server configurations At least one event of the following event types was detected: [Self-Signed TLS/SSL Certificate] Assessment Negative Observations TLS/SSL Certificates CIS v8 Controls CIS v7 Controls Controls 4 Secure Configuration of Enterprise Assets and Software Safeguards 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure 4.10 Enforce Automatic Device Lockout on Portable End-User Devices Controls 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Safeguards 5.1 Establish Secure Configurations 5.2 Maintain Secure Images 5.4 Deploy System Configuration Management Tools 5.5 Implement Automated Configuration Monitoring Systems Cannot Be Validated Certificates The presence of TLS/SSL certificates that cannot be validated against a trusted root certificate authority (CA) indicates ineffective control and management of TLS/SSL configurations The ratio of events of type [Untrusted TLS/SSL Certificate] by type [Untrusted TLS/SSL Certificate, TLS/SSL Certificate Good Record] is above 20.0% Assessment Negative Observations TLS/SSL Certificates TLS/SSL Configurations CIS v8 Controls CIS v7 Controls Controls 4 Secure Configuration of Enterprise Assets and Software Safeguards 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure 4.10 Enforce Automatic Device Lockout on Portable End-User Devices Controls 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Safeguards 5.1 Establish Secure Configurations 5.4 Deploy System Configuration Management Tools 5.5 Implement Automated Configuration Monitoring Systems Certificates With Insecure Parameters The presence of TLS/SSL certificates with insecure parameters indicates ineffective control and mismanagement of TLS/SSL configurations. The ratio of events of type [Insecure TLS/SSL Certificate Settings] by type [Insecure TLS/SSL Certificate Settings, TLS/SSL Certificate Good Record] is above 20.0% Assessment Negative Observations DKIM Records TLS/SSL Certificates TLS/SSL Configurations CIS v8 Controls CIS v7 Controls Controls 4 Secure Configuration of Enterprise Assets and Software Safeguards 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure 4.10 Enforce Automatic Device Lockout on Portable End-User Devices Controls 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Safeguards 5.1 Establish Secure Configurations 5.4 Deploy System Configuration Management Tools 5.5 Implement Automated Configuration Monitoring Systems April 1, 2025: Published. Related articles Insights to Control Framework Mapping TLS/SSL Certificates Risk Vector Insights to Control Framework Mapping: Network Attack Surface TLS/SSL Configuration Becomes Non-Impacting When the Asset is Taken Offline – March 28, 2025 Findings Data: Common TLS/SSL Certificates & TLS/SSL Configurations Fields Feedback 0 comments Please sign in to leave a comment.