CIS Benchmarks are collections of suggestions and greatest practices for securely configuring servers, networks, software program, and different IT methods. Developed by the Heart for Web Safety, the benchmarks present steerage companies can use to implement safe methods, assess their present degree of safety, and obtain regulatory compliance.
Given the quantity and complexity of IT companies and methods, it’s difficult for companies to develop insurance policies and implement procedures that keep ample safety. CIS Benchmarks present complete greatest practices for varied platforms and applied sciences, together with cloud platforms like AWS and Microsoft Azure.
On this article, we take a better have a look at CIS Benchmarks and the way companies can use them to enhance cybersecurity and compliance with data safety laws and requirements.
The Heart for Web Safety (CIS) is a non-profit group that goals to make the web secure by devising and selling safety greatest practices. It publishes the CIS Controls and CIS Benchmarks, that are developed in a crowd-sourced consensus-driven course of by a membership that features companies, authorities businesses, and different establishments.
The CIS Benchmarks are suggestions for securing IT methods. They supply the knowledge companies must confirm they’re following greatest practices and directions for greatest apply implementation.
To look extra intently at one of many dozens of CIS Benchmarks, the CIS Amazon Net Providers Foundations Benchmark is a 250-page doc protecting safety benchmarks for a variety of AWS companies, together with id and entry administration, storage, logging, monitoring, and networking.
Every part supplies greatest practices for generally used companies. For instance, the storage part supplies steerage for S3, EC2, RDS, and EFS. Every greatest apply features a rationale, directions for verifying the most effective apply is applied, and remediation directions explaining the right way to safe the service.
The benchmarks are a priceless useful resource for companies that must assess and enhance their safety posture. That’s why we use the CIS Benchmarks for cloud companies—together with AWS, Azure, and GCP—as the muse of our cloud safety audits.
CIS Controls vs. CIS Benchmarks
As a part of its mission to advertise web safety, the CIS publishes the CIS Controls, a compendium of 18 essential safety greatest practices that companies ought to observe to defend towards recognized cyberattacks. The controls deal with many greatest practices, together with for stock management, information safety, entry administration, malware, community monitoring, penetration testing, and extra. Just like the CIS Benchmarks, the CIS Controls are free, and they are often downloaded by any enterprise seeking to implement safe methods.
CIS Controls and CIS Benchmarks differ in specificity. Whereas the CIS Controls supply broad, high-level greatest practices for a variety of methods, the CIS Benchmarks supply actionable greatest practices for particular platforms and applied sciences, together with cloud platforms, working methods, network-connected gadgets, and purposes. Many CIS Benchmarks check with the related CIS Controls so customers can observe their progress in the direction of compliance.
Which Info Safety Areas Are Lined By CIS Requirements?
CIS Benchmarks cowl a big selection of companies, platforms, and software program, together with, amongst others:
- Desktop working methods: Microsoft Home windows and macOS.
- Server working systems: Debian, Ubuntu, CentOS, RHEL.
- Server software program: Microsoft IIS, Microsoft Home windows Server, Nginx, Apache.
- Virtualization and Cloud Software program: VMware, Kubernetes, Docker.
- Cloud platforms: AWS, Microsoft Azure, Google Cloud Computing Platform, Alibaba Cloud.
- Desktop software program: Microsoft Workplace, Google Chrome, Safari, Zoom.
What Are CIS Benchmark Ranges?
CIS associates every benchmark advice with a profile degree: Stage 1, Stage 2, or STIG. The profiles point out the safety degree achieved by implementing a advice.
Stage 1 suggestions are fundamental safety practices important to making a safe IT surroundings. Stage 2 suggestions are high-security suggestions for methods internet hosting delicate information or different high-security situations. Stage 2 suggestions could also be harder to implement, they usually could disrupt a enterprise’s operations.
For instance, the CIS Amazon Net Providers Foundations Benchmark comprises the next two suggestions, relevant to Stage 1 and Stage 2, respectively.
- Stage 1: Guarantee CloudTrail is enabled in all areas
- Stage 2: Guarantee CloudTrail log file validation is enabled
The STIG profile is meant to assist companies to adjust to the Safety Technical Implementation Information, a baseline safety normal created by the Protection Info Methods Company (DISA). The STIG profile consists of CIS Stage 1 and Stage 2 suggestions, in addition to further suggestions required for STIG compliance.
CIS Hardened Photographs are digital machine (VM) photographs with configurations that conform to the CIS Benchmarks. A VM picture is a snapshot of a pc storage system containing the working system and key library and utility software program. They are often run immediately by virtualization software program and cloud platforms or copied to a bodily server.
CIS Hardened Photographs allow companies to deploy servers and different gadgets with safe configurations out-of-the-box. Putting in a safe VM picture is a quicker and extra dependable approach to obtain benchmark compliance than putting in an working system and software program after which manually configuring it.
CIS publishes hardened photographs for many main server working methods, together with Microsoft Home windows Server, Amazon Linux, Debian, Ubuntu, CentOS, Oracle Linux, and Purple Hat Enterprise Linux. It additionally publishes photographs for purposes comparable to Nginx and PostgreSQL.
Main cloud platforms, together with AWS, Microsoft Azure, Google Cloud Platform, and Oracle Cloud, supply CIS Hardened Photographs of their marketplaces, permitting customers to deploy the photographs on to digital servers operating on the platform.
Regulatory frameworks and requirements impose safety and privateness obligations on companies, however they don’t present concrete steerage for reaching compliance. It’s difficult for companies to bridge the hole between laws and real-world implementations on explicit platforms.
CIS Benchmarks are designed to align with main data safety regulatory frameworks and requirements. In CIS’s language, the suggestions “map” to laws and requirements. Implementing CIS benchmark suggestions can subsequently assist companies to adjust to elements of requirements and frameworks that embody:
- PCI DSS
- ISO 27001
One instance of how this works is PCI DSS Requirement 2.2, which requires organizations that course of bank card information to “develop configuration requirements for all system elements…in keeping with industry-accepted hardening requirements.” CIS Benchmarks qualify as an industry-accepted normal. In truth, they’re talked about within the Requirement as an accepted normal alongside hardening requirements from the SANS Institute and the Nationwide Institute of Requirements Expertise (NIST).
CIS Benchmarks make it simpler for companies to safe IT methods and adjust to data safety requirements and laws. Nevertheless, compliance needs to be verified by an unbiased third social gathering.
KirkpatrickPrice helps organizations assess, confirm, improve, and display their safety with compliance audits, pen testing, safety consciousness coaching, and extra. Our complete audit capabilities embody:
To be taught extra, contact a KirkpatrickPrice data safety specialist right this moment.