The Level 1 profile includes surface-level configuration recommendations. These Profiles include Level 1 and Level 2. The CIS Benchmarks categorize the system hardening process into two distinct Profiles. For instance, it’s unclear where you should start hardening your system. Securing system configurations is a complex problem even with the detailed guidelines provided in the CIS Benchmarks. Example 1: Prioritizing CIS Benchmarks with Profiles Therefore, each recommendation also includes the steps for confirming CIS compliance.īelow are a few examples of how CIS Benchmarks and compliance work. For example, organizations covered under the CMMC, HIPPA, and PCI-DSS regulations must comply with the CIS Benchmarks, directly or indirectly. However, most organizations choose to comply with the benchmarks.ĬIS Compliance makes sense since most major compliance frameworks reference the CIS Benchmarks as the gold standard. Therefore, it cannot enforce compliance with its Benchmarks. Regarding CIS Benchmarks compliance, the CIS isn’t a regulatory agency. The account is also free and only takes a few minutes to register. However, you’ll need to register an account with the CIS before you can download the document. The CIS Benchmarks PDF is available to download for free at the Center for Internet Security website. Finally, the document recommends specific actions and guidelines for implementing the benchmark. Next, the document outlines the rationale behind the benchmark and its impact on the organization. It starts with an overview of the benchmark, including the intended audience, definitions, and description. So the Network Devices section outlines recommendations for configuring network devices and so on.Įach benchmark also has a logical structure. For example, the document is broken up into sections such as Cloud Providers, Server Software, and Network Devices. However, the document is logically structured to make it easier to implement the recommendations. Now the CIS Benchmarks take the form of a comprehensive PDF document with hundreds of pages. Finally, the draft is amended before it is released to the public as the CIS Benchmarks. Again, the community provides feedback and suggestions. This wider community includes global cybersecurity and IT experts from various industries. Next, the CIS wider community receives the draft recommendations for appraisal. The preliminary panel develops, deliberates, and tests the draft before moving to the next stage. These experts are drawn from various sectors, including government, manufacturing, academia, and research. First, a panel of cybersecurity experts convenes to develop a draft version of the benchmark recommendations. You can think of the CIS Benchmarks as an open-source project for developing security configuration best practices. Furthermore, the benchmarks cover seven primary areas, including: The featured products include the most commonly used systems such as Microsoft, Linux, Apple, Cisco, Amazon Web Services (AWS), Google, Kubernetes, and IBM. There are over 100 benchmarks spanning more than 25 different vendor products. Therefore, the CIS Benchmarks provide organizations with consensus-driven configuration standards and best practices for securing vulnerable digital assets, including freshly installed and legacy assets. However, these settings lean more towards ease of deployment than security. IT systems and products typically come with default configurations. Specifically, CIS Benchmarks provide a standard framework for calibrating and configuring the most common digital assets. Many of these tools and resources are also free and available for anyone to use. The organization also offers a range of programs, tools, and resources to promote cybersecurity best practices in government and the private sector. The organization develops and promotes standards, policies, and best practices for improving cybersecurity readiness and response. The Center for Internet Security (CIS) is a non-profit organization comprised of volunteer cybersecurity experts from the government, private sector, and academia. What are CIS Benchmarks and Compliance Anyway?įirst, it’s essential to understand the CIS and its role in the cybersecurity landscape. For their part, the CIS Benchmarks give a baseline for securely configuring standard IT systems and products. Most notably, the CIS Critical Security Controls provide a roadmap to help organizations protect themselves from the most common cybersecurity threats. The Center for Internet Security ( CIS ) has done a terrific job compiling cybersecurity best practices that organizations of all sizes and industries can use to improve their cybersecurity posture.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |