Center for Internet Security (CIS)

CIS compliance means meeting CIS security standards. CIS compliant organizations will have an established baseline for protecting their systems and data from cyberattacks. This baseline should satisfy the CIS benchmarks, which cover a vast set of vendors and systems. Though CIS benchmarks stand alone, compliance with them is part and parcel of broader IT risk management strategy. CIS benchmarks align with essential industry regulations, including the NIST Cybersecurity Framework and HIPAA. As a result, organizations prioritizing CIS compliance will simultaneously achieve compliance with other industry regulations. Compliance scores measure an organization’s overall compliance. This score reflects how well the organization adheres to CIS benchmarks when configuring its systems and data. These scores can reveal where the organization needs to improve its security, something that can also support internal audit. Audit teams need to familiarize themselves with every part of the system to determine whether or not configurations meet the CIS Benchmarks; compliance scores can tell them where to begin their review.

CIS Benchmarks

CIS Benchmarks can be grouped into seven main areas:
1. Server Software: CIS Benchmarks guide the proper configuration of different server software from various vendors. This includes commonly used server software such as VMware or Microsoft Windows Server. The aim is to strengthen cybersecurity through best practice configurations across different areas of the IT server system. There are CIS Benchmarks for database servers, web servers, DNS servers and authentication servers. Recommendations cover storage settings and restrictions, admin controls and server settings.
2. Multi-function Print Devices: Print devices have become targets for cyber threats as a gateway into an organization’s network. Recommendations cover topics like file sharing, server configurations and secure access to wireless networks.
3. Cloud Providers: Best practice cybersecurity configurations for setting up the most well-known cloud services and infrastructure. There are benchmarks for cloud services and infrastructure from Amazon Web Services, Microsoft Azure, Oracle Cloud Infrastructure and Google Cloud Computing Platform. Recommendations cover network settings, safeguards to ensure compliance with regulations and IT governance and management.
4. Mobile Devices: These benchmarks focus on Apple iOS and Google Android mobile operating systems and devices. They provide guidance for configuring Apple iOS, iPadOS and Android operating systems. Recommendations cover topics such as browser and developer settings, app permissions and privacy and mobile operating system settings.
5. Desktop Software: CIS Benchmarks provide best practice configuration for desktop software commonly used within modern organizations. This includes benchmarks for the Microsoft Office suite of software, an integral part of the modern office. CIS benchmarks are also provided for the top web browsers, including Google Chrome, Mozilla Firefox, Safari and Microsoft web browser. Recommendations cover areas like browser settings, management of third-party software, server settings and device management.
6. Network Devices: These CIS Benchmarks help configure network devices and hardware used within an organization’s IT system. These cover network devices and products from various vendors, including Cisco, Juniper, Check Point Firewall and Palo Alto Networks. These recommendations help to ensure cybersecurity standards across all network devices and hardware within an organization to enhance and strengthen the overall IT Governance strategy.
7. Operating systems: CIS Benchmarks help to ensure proper cybersecurity configurations for a range of the top operating systems widely used by organizations. This includes Linux, Microsoft Windows and servers, and Apple macOS. Benchmarks are mapped to different iterations of these operating systems, with best practice guidance for both enterprise and personal versions. Operating systems form a core part of any organization’s IT systems. CIS Benchmarks help organizations configure them securely, closing vulnerabilities and lowering the risk from cyber threats. Best practice recommendations cover protocols for driver installation, user profile management and remote access restrictions.