Developed by a global community of cybersecurity professionals, CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure.
What are CIS Benchmarks?
CIS Benchmarks, published by the Center for Internet Security (CIS), are documented industry best practices for securely configuring IT systems, software, and networks. Currently, there are more than 140 CIS Benchmarks in total, spanning across seven core technology categories. CIS Benchmarks are developed through a unique consensus-based process involving communities of cybersecurity professionals and subject matter experts around the world, each of which continuously identifies, refines, and validates security best practices within their areas of focus.
About the Center for Internet Security (CIS)
CIS is a nonprofit organization established in October 2000. CIS is driven by a global IT community with the common goal of identifying, developing, validating, promoting, and sustaining best practice solutions for cyber defense. Over the years, CIS has produced and distributed several free tools and solutions for enterprises of all sizes, designed to strengthen their cybersecurity readiness.
CIS is most commonly known for its release of CIS Controls, a comprehensive guide of 20 safeguards and countermeasures for effective cyber defense. CIS Controls provide a prioritized checklist that organizations can implement to reduce their cyber-attack surface significantly. CIS Benchmarks reference these controls when building recommendations for better-secured system configurations.
How are CIS Benchmarks organized?
Each CIS Benchmark includes multiple configuration recommendations based on one of two profile levels. Level 1 benchmark profiles cover base-level configurations that are easier to implement and have minimal impact on business functionality. Level 2 benchmark profiles are intended for high-security environments and require more coordination and planning to implement with minimal business disruption.
There are seven (7) core categories of CIS Benchmarks:
- Operating systems benchmarks cover security configurations of core operating systems, such as Microsoft Windows, Linux, and Apple OSX. These include best-practice guidelines for local and remote access restrictions, user profiles, driver installation protocols, and internet browser configurations.
- Server software benchmarks cover security configurations of widely used server software, including Microsoft Windows Server, SQL Server, VMware, Docker, and Kubernetes. These benchmarks include recommendations for configuring Kubernetes PKI certificates, API server settings, server admin controls, vNetwork policies, and storage restrictions.
- Cloud provider benchmarks address security configurations for Amazon Web Services (AWS), Microsoft Azure, Google, IBM, and other popular public clouds. They include guidelines for configuring identity and access management (IAM), system logging protocols, network configurations, and regulatory compliance safeguards.
- Mobile device benchmarks address mobile operating systems, including iOS and Android, and focus on areas such as developer options and settings, OS privacy configurations, browser settings, and app permissions.
- Network device benchmarks offer general and vendor-specific security configuration guidelines for network devices and applicable hardware from Cisco, Palo Alto Networks, Juniper, and others.
- Desktop software benchmarks cover security configurations for some of the most commonly used desktop software applications, including Microsoft Office and Exchange Server, Google Chrome, Mozilla Firefox, and Safari Browser. These benchmarks focus on email privacy and server settings, mobile device management, default browser settings, and third-party software blocking.
- Multi-function print device benchmarks outline security best practices for configuring multi-function printers in office settings and cover such topics as firmware updating, TCP/IP configurations, wireless access configuration, user management, and file sharing.
CIS Hardened Images
CIS also offers pre-configured Hardened Images that enable enterprises to perform computing operations cost-effectively without needing to invest in additional hardware or software. Hardened images are much more secure than standard virtual images, and they significantly limit the security vulnerabilities that can lead to a cyberattack.
CIS Hardened Images were designed and configured in compliance with CIS Benchmarks and Controls and have been recognized to be fully compliant with various regulatory compliance organizations. CIS Hardened Images are available for use in nearly all major cloud computing platforms and are easy to deploy and manage.
CIS Benchmarks and regulatory compliance
CIS Benchmarks align closely with–or 'map to'—security and data privacy regulatory frameworks including the NIST (National Institute of Standards and Technology) Cybersecurity Framework, the PCI DSS (Payment Card Industry Data Security Standard) (PCI DSS), HIPAA (Health Insurance Portability and Accountability Act), and ISO/EIC 2700. As a result, any organization operating in an industry governed by these types of regulations can make significant progress toward compliance by adhering to CIS Benchmarks. In addition, CIS Controls and CIS Hardened Images can help support an organization's compliance with GDPR (the EU's General Data Protection Regulation).
Benefits of CIS Benchmarks
While enterprises are always free to make their own choices around security configurations, CIS Benchmarks recommendations offer the following:
- The collected expertise of a global community of IT and cybersecurity professionals.
- Regularly updated, step-by-step guidance for securing every area of the IT infrastructure.
- Compliance management consistency.
- A flexibility template for securely adopting new cloud services and for executing digital transformation strategies.
- Easy-to-deploy configurations for improved operational efficiency and sustainability.
CIS Benchmarks and IBM Cloud
Some of the major roadblocks that organizations face when scaling their business and moving toward public cloud adoption are related to cybersecurity preparedness. IBM has partnered with the Center of Internet Security (CIS) for years to establish the best security process for customers utilizing their cloud services and supporting technologies.
In collaboration with CIS, IBM has already been awarded CIS Security Software Certification Benchmarks on a variety of IBM products. IBM continues to develop additional benchmarks for IAM, logging and monitoring, networking and storage, Database-as-a-Service (DBaaS), and Kubernetes.
For more information on CIS Benchmarks and guidance on how to better configure and secure your cloud environment, explore IBM's suite of cloud security services. Sign up for an IBMid and create your IBM Cloud account.