The Center for Internet Security (CIS) benchmarks are a set of best-practice cybersecurity standards for a range of IT systems and products. CIS Benchmarks provide the baseline configurations to ensure compliance with industry-agreed cybersecurity standards. The benchmarks are developed by CIS alongside communities of cybersecurity experts within industry and research institutes.
CIS Benchmarks can be seen as frameworks to configure IT services and products. Organizations can use the guidelines to improve cybersecurity and help protect against cyber threats. CIS Benchmarks cover a huge range of products and systems including server software, operating systems and network devices. These systems are widespread in all modern organizations and offices, making CIS Benchmarks a vital tool when it comes to closing vulnerabilities in an IT network.
CIS Benchmarks are free to use and are easily downloaded. They're useful to any stakeholders dealing with an organization's IT governance, cybersecurity policies and systems. The Center for Internet Security also offers a membership option which enhances cybersecurity compliance monitoring and resources. CIS Benchmarks are also important to IT system vendors, who can gain certification to show the product reaches CIS compliance.
This article explores CIS Benchmarks, what they consist of, and the benefits they can bring to organizations. It also covers the wider programs and services offered by the Center for Internet Security, including CIS Controls and CIS certification.
What is the Center for Internet Security?
The Center for Internet Security (CIS) is a not-for-profit organization which aims to identify and promote best-practice cybersecurity standards and policies. It develops and promotes IT security guidance with the input from a community of cybersecurity experts. CIS draws members from a range of backgrounds including private companies, government, and research institutions. The aim is to take a collaborative approach to improving cybersecurity and responding to known cyber threats. To achieve this, CIS provides a range of tools, resources and programs to enable best-practice IT governance within organizations and government. Many of these tools and resources can be accessed free of charge. CIS actively monitors cyber threats to help national and local governments to promote cybersecurity procedures through the Multi-State Information Sharing and Analysis Center (MS-ISAC). MS-ISAC provides members with resources and tools for improved IT governance, cybersecurity notifications, and reports on active cyber threats. CIS offer different programs to organizations to promote cybersecurity procedures. CIS Controls provide organizations with a set of procedures to bolster cybersecurity and respond to incidents. They consist of focused actions to lower the risk of cyber threats and steps to resolve serious IT incidents. CIS Benchmarks help improve cybersecurity by providing best-practice configuration of IT systems and products. Organizations will generally use multiple benchmarks to ensure the secure setup of individual components of an IT Network.What are CIS Benchmarks?
CIS Benchmarks are frameworks for calibrating a range of IT services and products to ensure the highest standards of cybersecurity. They're developed through a collaborative process with input from experts within the cybersecurity community. There are more than 100 different benchmarks covering a range of well-known vendors and systems. CIS Benchmarks provide guidance for all areas of an IT network, including operating systems, server systems, office software and network devices. CIS Benchmarks are free to download and use. The documents cover everything from initial set up to configuration of all parts of the IT system. The guidance is regularly updated and renewed to reflect new iterations of the IT service or product. CIS Benchmarks represent the baseline settings to ensure an IT system or product is secure. The aim is to enhance international cybersecurity standards in all types of organizations. CIS Benchmarks are used by organizations, governments and institutes across the world. CIS Benchmarks are compatible with existing IT risk management policies and procedure. They can slot into well-known frameworks for IT governance such as the NIST Cybersecurity Framework.The benefits of CIS Benchmarks
CIS Benchmarks help organizations set up IT and technology systems to ensure best practice cybersecurity defense. Guidelines play an important role in forming an organization's cybersecurity policy. There are benchmarks for many types of technologies, including popular operating systems and browsers. Each element of an organization's IT network may have cybersecurity vulnerabilities if not configured correctly. By following CIS Benchmarks, organizations can secure IT systems using a framework developed by leading cybersecurity experts. Benefits of CIS Benchmarks include:- Strengthen vulnerabilities which can cause serious cybersecurity incidents.
- CIS Benchmarks are aligned to the best-known IT systems and technology.
- Free to download and embed.
- Developed with expert input from a community of cybersecurity specialists.
- A clear tool in enhancing IT governance procedure.
- Safeguarding of vital IT systems within an organization, from operating systems to networks.
What is the structure of CIS Benchmarks?
CIS Benchmarks are free to download and implement and take the form of a PDF document. Each benchmark follows a similar structure. The beginning provides an overview of the benchmark, outlining definitions and the benchmark's intended audience. The main bulk of the CIS Benchmarks document is a series of recommendations to ensure correct configuration of an IT system. Each CIS Benchmark may have hundreds of recommendations, which are grouped into different policies and areas of the IT system. For example, this may include cybersecurity recommendations for security options or account policies. Each recommendation follows the same structure. It includes a description, the rationale behind the guidance, the impact it may have on cybersecurity, and how to implement it. There is also guidance on performing an internal audit to confirm CIS compliance. The recommendations are either 'scored', or 'not scored'. 'Scored' recommendations are mandatory to achieve CIS compliance, and if not met will lower the total benchmark score. Recommendations which are 'not scored' have no impact on the overall score of the benchmark. CIS Benchmarks contain a checklist appendix which helps compliance monitoring for each recommendation.What parts of an organization can CIS Benchmarks help?
CIS Benchmarks provide standards for the proper configuration of a range IT technologies and systems. Covering everything from desktop software to mobile devices, these systems are an integral part of any modern organization. CIS Benchmarks provide clear best practice guidance created by a community of experts, so are an important tool for any IT governance strategy. Organizations can use CIS Benchmarks to make focused improvements to specific areas of their IT systems. Properly embedding IT systems will strengthen vulnerabilities in an organization's IT network, improving cybersecurity defense. CIS Benchmarks can be grouped into seven main areas:- Server software
- Multi-function print devices
- Cloud providers
- Mobile devices
- Desktop software
- Network devices
- Operating systems
How are CIS Benchmarks developed?
CIS Benchmarks are developed with input from a range of volunteer cybersecurity and IT system experts. Every CIS Benchmark completes a two-step process of consensus review. The first step sees a panel or cybersecurity experts create, discuss and test a draft version of the benchmark recommendations. Once the experts achieve a consensus on the draft CIS Benchmark guidance, it is published for review from the wider community of cybersecurity experts. The second step has a network of cybersecurity professionals from across the globe review the CIS Benchmark recommendations. Feedback from the wider community is collected and reviewed by the expert panel, with the benchmark amended to ensure best practice standards. Updates to CIS Benchmarks will generally be triggered by new versions of the IT system or product being released.What are CIS Benchmark profiles?
To help organizations with implementation, each recommendation within a CIS Benchmark is assigned a level 1 or level 2 profile. The profile levels represent the potential impact of a recommendation on the organization's IT systems and cybersecurity defense. It helps organizations understand which recommendations meet their cybersecurity needs and available resources. Profiles reiterate the importance of using a test environment when implementing CIS Benchmark recommendations. A level 1 profile is generally assigned to surface-level recommendations which can be quickly implemented. Organizations will generally be able to continue normal operations when introducing recommendations of this level. Level 2 profiles are linked to recommendations which deal with areas of significant importance to IT systems and cybersecurity. These recommendations will cover policies and parts of IT systems which are vital to cybersecurity. Level 2 profiles deal with areas with heightened security considerations, or where there is risk of negative impact on IT systems.What are CIS Controls?
CIS Controls, or CIS Critical Security Controls for Effective Cyber Defense, are a set of clear actions for organizations to strengthen cybersecurity. CIS Controls are a separate program by the Center for Internet Security, but are referenced throughout CIS Benchmarks. The aim of CIS Controls is to provide clear, focused actions which will have an impact on severe threats to IT systems. There are 20 different CIS Controls, which consist of a range of actions to improve resilience to cyberattacks. They are designed to be straightforward and effective, helping to mitigate the potential damage from known cyber threats. Whereas CIS Benchmarks focus on cybersecurity baseline of a specific system or product, CIS Controls are guidelines for the entire IT system. They are important tools for any strategic IT governance decisions or risk management process. CIS Controls are referenced throughout CIS Benchmarks, as each recommendation will be mapped to one or more CIS Controls. This helps organizations understand the impact of each CIS Benchmark recommendation on the wider cybersecurity defense.20 CIS Controls explained
The 20 CIS Controls are grouped into three categories to help with implementation. The first six are in the 'basic' category, and consist of clear baseline actions to help any organization prepare cybersecurity defense. The next eight are within the 'foundational' category, which provide technical actions to further improve cybersecurity defense in all organizations. The final four CIS Controls are within the 'organizational' category, which deal with the general operation of the IT system. This category focuses on the structure of the organization itself, including procedures for incident response and wider training programs. The 20 CIS Controls are:Basic CIS Controls
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- Maintenance, Monitoring and Analysis of Audit Logs
Foundational CIS Controls
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
Organizational CIS Controls
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
What are CIS Controls implementation groups?
CIS Controls are prioritized, as to help organizations perform actions with the most positive impact. The CIS Controls are prioritized for different 'implementation groups'. In effect, these are different groups of organizations which vary in scale, scope, and cybersecurity requirements. Organizations assess which group they belong to, which helps them understand which CIS Controls to implement in line with their risk profile and strategic resources. Implementation groups play a key role in strategic risk management and planning. They weight up the risks and resources to help organizations take focused actions suitable to their cybersecurity needs. There are three implementation groups:- Implementation group 1
- Implementation group 2
- Implementation group 3