Center for Internet Security (CIS) Benchmarks
The Center for Internet Security (CIS) is a nonprofit organization that publishes best practices for securing IT systems and data.
- partly founded by SANS
- publishes the well-known Critical Security Controls and CIS Benchmarks
CIS Benchmarks
The CIS Benchmarks are a set of security configuration best practices developed by a consensus community of experts.
- developed in 2003
- CIS established a consensus process to develop a set of security configuration guidelines based on best practices
- provide a secure baseline configuration for various operating systems, applications, and hardware devices
- define best practice approaches to patching, hardening, and system logging
- industry standard for secure configuration
- Available for free from https://www.cisecurity.org/cis-benchmarks/
- some vulnerability scanners include configuration scanning options to compare an endpoint’s active configuration to CIS benchmarks
- continually updated
- 5 core focus areas in CIS Benchmarks
- each core has several subcategories
Using CIS Benchmarks
- organizations should select a set of benchmarks based on their industry and system architecture
- review the recommended security configuration settings and determine if they need to make changes to their IT systems and applications to meet the benchmarks
Types of CIS Benchmarks
- Are multiple versions of benchmarks:
- Enterprise benchmarks
- for large organizations with standardized architectures
- e.g., government, financial services, energy, utility companies, etc.
- SOHO/SMB benchmarks
- for smaller organizations and residential settings
- Critical infrastructure benchmarks
- for nation’s critical infrastructure organizations
- e.g., utilities and transportation
- Cyber Defense Intelligence benchmarks
- for organizations that need to protect sensitive data
- e.g., government agencies and financial services
- Healthcare benchmarks
- for organizations in healthcare industry
- Education benchmarks
- for K-12 and higher education organizations
- Energy and utilities benchmarks
- for the energy and utility sectors
- e.g., power plants, transportation, distribution
- Telecommunications benchmarks
- for telecommunications providers
- Retail benchmarks
- for retail industry including brick-and-mortar and online retailers
- Government benchmarks
- for federal, state, and local government organizations
- Enterprise benchmarks
CIS Benchmark Implementation Tool
CIS benchmark implementation tool is a subscription-based service that allows organizations to select and configure a set of CIS Benchmarks™ based on their industry and organization type.
- a cloud-based service that enables the implementation of CIS Benchmarks
- subscription-based
- provides access to a repository of detailed configuration settings for specific technologies and systems
- includes configuration guidelines for implementing the CIS Benchmarks™ in different environments
- e.g., on-premise and cloud
Critical Security Controls
- version 8 is comprised of:
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
- Email and Web Browser Protections
- Malware Defenses
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defense
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing