CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure.
CIS Benchmarks are published by the Center for Internet Security (CIS). As of this writing there are more than 140 CIS Benchmarks in total, spanning seven core technology categories. CIS Benchmarks are developed through a unique consensus-based process involving communities of cybersecurity professionals and subject matter experts around the world, each of which continuously identifies, refines, and validates security best practices within their areas of focus.
CIS (link resides outside ibm.com) is a nonprofit organization established in October 2000. CIS is driven by a global IT community with the common goal of identifying, developing, validating, promoting, and sustaining best practice solutions for cyber defense. Over the years, CIS has produced and distributed several free tools and solutions for enterprises of all sizes, designed to strengthen their cybersecurity readiness.
CIS is most commonly known for its release of CIS Controls (link resides outside ibm.com), a comprehensive guide of 20 safeguards and countermeasures for effective cyber defense. CIS Controls provide a prioritized checklist that organizations can implement to reduce their cyber-attack surface significantly. CIS Benchmarks reference these controls when building recommendations for better-secured system configurations.
Each CIS Benchmark includes multiple configuration recommendations based on one of two profile levels. Level 1 benchmark profiles cover base-level configurations that are easier to implement and have minimal impact on business functionality. Level 2 benchmark profiles are intended for high-security environments and require more coordination and planning to implement with minimal business disruption.
There are seven (7) core categories of CIS Benchmarks:
CIS also offers pre-configured Hardened Images that enable enterprises to perform computing operations cost-effectively without needing to invest in additional hardware or software. Hardened images are much more secure than standard virtual images, and they significantly limit the security vulnerabilities that can lead to a cyberattack.
CIS Hardened Images (link resides outside ibm.com) were designed and configured in compliance with CIS Benchmarks and Controls and have been recognized to be fully compliant with various regulatory compliance organizations. CIS Hardened Images are available for use in nearly all major cloud computing platforms and are easy to deploy and manage.
CIS Benchmarks align closely with–or 'map to'—security and data privacy regulatory frameworks including the NIST (National Institute of Standards and Technology) Cybersecurity Framework, the PCI DSS (Payment Card Industry Data Security Standard) (PCI DSS), HIPAA (Health Insurance Portability and Accountability Act), and ISO/EIC 2700. As a result, any organization operating in an industry governed by these types of regulations can make significant progress toward compliance by adhering to CIS Benchmarks. In addition, CIS Controls and CIS Hardened Images can help support an organization's compliance with GDPR (the EU's General Data Protection Regulation).
While enterprises are always free to make their own choices around security configurations, CIS Benchmarks offer:
Move confidently to hybrid multicloud and integrate security into every phase of your cloud journey. Safeguard and monitor your data, applications and environments with IBM security services.
Govern cloud resource configurations and centrally manage your compliance to organization and regulatory guidelines.
Integrating cloud into your existing enterprise security program is not just about adding a few more controls or point solutions. It requires an assessment of your resources and business needs to develop a fresh approach to your culture and cloud security strategy. To manage a cohesive hybrid, multicloud security program, you need to establish visibility and control. IBM Security® products and experts can help you integrate the appropriate controls, orchestrate workload deployment and establish effective threat management.