CIS Benchmarking are security configuration standards developed by the Center for Internet Security.

What is CIS Benchmarking?

CIS Benchmarking are security configuration standards that provide detailed guides for configuring systems securely.

Benchmark Types

Operating Systems

• Windows: Windows Server, Windows 10/11
• Linux: Ubuntu, CentOS, RHEL, SUSE
• macOS: macOS Server, macOS Desktop
• Unix: Solaris, AIX, HP-UX

Applications

• Web Servers: Apache, Nginx, IIS
• Databases: MySQL, PostgreSQL, Oracle, SQL Server
• Email: Exchange, Postfix, Sendmail
• DNS: BIND, Microsoft DNS

Devices

• Firewalls: Cisco, Fortinet, Palo Alto
• Routers: Cisco, Juniper, Huawei
• Switches: Cisco, HP, Dell
• Wireless: Cisco, Aruba, Ruckus

Structure

Levels

• Level 1: Basic configurations
• Level 2: Advanced configurations
• Level 3: Specialized configurations
• Custom: Custom configurations

Categories

• System: System configuration
• Network: Network configuration
• Security: Security configuration
• Application: Application configuration

Implementation

Phase 1: Analysis

• Inventory: System inventory
• Analysis: Current configuration analysis
• Gaps: Gap identification
• Prioritization: Implementation prioritization

Phase 2: Planning

• Strategy: Implementation strategy
• Schedule: Implementation schedule
• Resources: Required resources
• Risks: Risk assessment

Phase 3: Implementation

• Configuration: Apply configurations
• Testing: Test configurations
• Documentation: Document changes
• Training: Train staff

Phase 4: Operation

• Monitoring: Configuration monitoring
• Audits: Regular audits
• Updates: Benchmark updates
• Improvement: Continuous improvement

Tools

Analysis

• CIS-CAT: CIS Configuration Assessment Tool
• Lynis: Security auditing tool
• OpenSCAP: Security compliance framework
• Nessus: Vulnerability scanner

Automation

• Ansible: Configuration management
• Puppet: Configuration management
• Chef: Configuration management
• Terraform: Infrastructure as code

Monitoring

• SIEM: Security Information and Event Management
• GRC: Governance, Risk and Compliance
• CMDB: Configuration Management Database
• Asset Management: Asset management

Best Practices

Implementation

• Phased: Phased implementation
• Testing: Test before implementing
• Rollback: Rollback plans
• Documentation: Document changes

Monitoring

• Regularity: Regular monitoring
• Alerts: Change alerts
• Audits: Regular audits
• Reports: Compliance reports

Improvement

• Updates: Update benchmarks
• Optimization: Optimize configurations
• Innovation: Innovate in security
• Collaboration: Collaborate with community

Related Concepts

• CISO - Role that oversees CIS Benchmarking
• ISO 27001 - Standard complementary to CIS
• SGSI - System that includes CIS
• ISMS - System that includes CIS
• Compliance - Process that includes CIS
• Audits - Process that includes CIS
• Hardening - Hardening based on CIS
• GAP Analysis - Assessment with CIS
• IT Governance - Discipline that includes CIS
• COBIT 5 - Framework complementary to CIS
• SIEM - System that monitors CIS
• Firewall - Device that CIS evaluates

References

• CIS Benchmarks
• CIS-CAT
• OpenSCAP
• NIST SP 800-53