An Introduction to CIS Benchmarks
The surge in cyberattacks, data breaches and other malicious activities underscores the need for a standardized approach to security. This culminated with the formation of the Center for Internet Security (CIS) back in 2000.
Fast forward to the present, we cater to MSPs looking for security solutions that not only align with CIS benchmarks but also show the current implementation status of CIS controls.
In this blog, we focus on the importance of CIS benchmarks for increased cyber resilience.
What Are CIS Benchmarks?
The Center for Internet Security benchmarks are a set of consensus-based, best practice guidelines developed by a community of global cybersecurity professionals and subject matter experts. These benchmarks provide specific recommendations for configuring various technologies and platforms securely, reducing the risk of cybersecurity threats.
MSPs can access more than 100 IT CIS benchmarks through a free PDF download. The types of technologies covered by CIS benchmarks include:
System/Technology | What They Do | Examples |
Operating systems | Address network security, system hardening, managing users and accounts and driver installation | Windows, Linux, macOS, Unix |
Desktop software | Focus on web browser settings, access management, user profile management and device management recommendations | Microsoft Office, Google Workspace, Chrome, Zoom |
Multi-function print devices | Cover file sharing, server configuration and secure access to wireless networks | Printers, scanners |
Cloud platforms | Focus on network security, access restrictions and data protection | AWS, Microsoft Azure, Google Cloud |
Mobile devices | Deal with browser and developer settings, app permissions and mobile operating system settings | iOS, Android |
Network devices | Cover access restrictions, network segmentation, logging and monitoring | Cisco, Fortinet, Juniper |
Server software | Provide baseline recommendations on storage settings, restrictions, admin controls and server settings | Docker, Apache, Kubernetes |
The Difference Between CIS Level 1 vs. Level 2
Each recommendation within a CIS benchmark is assigned a level 1 or level 2 profile to help organizations understand which recommendations meet their cybersecurity needs and available resources.
Level 1
These benchmark recommendations focus on implementing fundamental security measures that provide a baseline level of protection. Level 1 aims to reduce the attack surface by addressing the most critical and widely applicable security configurations.
They are generally easier to implement and establish foundational cybersecurity measures without significantly affecting usability.
Level 2
Considered to be “defense in depth,” level 2 recommendations involve complex configuration management and additional security layers to enhance the overall security posture.
Level 2 is recommended for systems that require a higher level of security due to factors such as sensitivity of data, increased risk exposure or compliance requirements. These recommendations can have an adverse effect on system usability if not implemented appropriately.
Security Technical Implementation Guide (STIG)
The STIG is an additional profile that is specifically built to help comply with the Defense Information Systems Agency (DISA) requirements. STIG profiles assist organizations that operate in highly regulated government or defense sectors.
Why Should MSPs Comply with CIS Security Benchmarks?
You can better secure networks and applications against emerging risks through the CIS-established baseline that covers more than 25 vendor product families.
Here are the top ways MSPs benefit from CIS security benchmarks.
- Regulatory compliance: Complying with CIS baseline benchmarks helps you simultaneously achieve compliance with other industry regulations, including the NIST Cybersecurity Framework, PCI DSS and HIPAA.
- Security configuration: A large number of reported breaches note misconfigurations as the root cause. In fact, OWASP found security misconfiguration as the fifth most critical application security risk. For each technology, IT CIS benchmarks offer detailed and actionable configuration recommendations, providing step-by-step guidance on how to configure settings for optimal security.
- Continuous improvement: The CIS benchmarks community regularly updates its security baseline and benchmarks to address emerging threats. Compliance ensures that MSPs stay up to date with evolving best practices and cybersecurity measures.
- Cost-effective protection: The CIS security benchmark documentation is available free of charge in PDF format for anyone to download. You can implement the latest step-by-step instructions for all kinds of IT security at no cost. By adhering to security protocols, you avoid financial and reputational damage from potential cyber threats.
- Vendor-agnostic approach: CIS benchmarks are vendor-agnostic, meaning they provide security guidance that can be applied to various technology vendors. This approach allows organizations to implement consistent security measures across different platforms and vendors.
How to Get Started with the Center for Internet Security Benchmarks
Complying with CIS benchmarks involves a systematic process of implementing the recommended security configurations and CIS controls for various technologies.
Here’s a general guide on how to comply with CIS benchmarks.
Identify Applicable Benchmarks
CIS benchmarks cover various systems, applications and platforms, so choose the ones that align with your organization’s IT infrastructure. Review the documentation accompanying each CIS benchmark to understand the rationale behind the recommended configurations. This knowledge will help you make informed decisions during the implementation process.
Conduct a Security Assessment
Perform a comprehensive security assessment of your current systems and configurations. Identify areas where your current settings deviate from the CIS benchmark recommendations. This assessment will serve as a baseline for implementing necessary changes.
Configure Systems According to Benchmarks
Apply the recommended configurations to your systems based on the specific guidelines provided in the CIS benchmarks. This step involves adjusting settings related to user accounts, network configurations, authentication methods and more.
Customize for Operational Needs
While CIS benchmarks provide a baseline, they also recognize the need for flexibility. Customize certain configurations based on your organization’s operational requirements. Ensure that security measures align with business needs to maintain functionality and usability.
Establish Monitoring and Auditing
Implement monitoring and auditing mechanisms to regularly assess the compliance of systems with CIS benchmarks. This approach involves continuous monitoring of security configurations and regular audits to verify adherence.
Stay Informed
Stay informed about updates to CIS benchmarks. Regularly check for new releases and updates that address emerging threats and vulnerabilities. Implement these updates to maintain the effectiveness of security controls.
Use SaaS Alerts to Improve Your CIS Compliance
SaaS Alerts offers a robust security platform to help you achieve CIS compliance and maintain a secure IT environment. MSPs enhance their ability to meet security compliance by:
- Setting up security alerts with our platform to identify and remediate any deviations from secure configurations
- Gaining visibility into dashboards that display compliance status and key security metrics
- Leveraging our automated response module to align with the incident response requirements of CIS benchmarks
Start a free trial to see SaaS Alerts in action.