CIS Compliance: What It Is & How to Comply With CIS Benchmarks

Michael Nyhuis

The Center for Internet Security (CIS) benchmarks are a set of compliance best practices for a range of IT systems and products. These benchmarks provide the baseline configurations to ensure both CIS compliance and compliance with industry-agreed cybersecurity standards. 

While CIS Benchmarks are valuable, they’re also crucial to regulatory compliance. CIS compliance standards create frameworks to configure IT services and products, all of which pave the way for overall regulatory compliance and, as a result, an effective cyber risk management strategy. Organizations can also use the guidelines to improve cybersecurity and help protect against cyber threats since CIS Benchmarks cover a range of products and systems.

This article explores what CIS compliance is, the CIS benchmarks organizations can follow and the benefits of compliance. It also covers the broader programs and services offered by the Center for Internet Security and how IT risk management technology can help your organization meet its security objectives.

 

What is the Center for Internet Security (CIS)?

The Center for Internet Security (CIS) is a not-for-profit organization which aims to identify and promote best-practice cybersecurity standards and policies. It develops and promotes IT security guidance with the input from a community of cybersecurity experts. CIS draws members from a range of backgrounds including private companies, government, and research institutions. The aim is to take a collaborative approach to improving cybersecurity and responding to known cyber threats.

To achieve this, CIS provides a range of tools, resources and programs to enable best-practice IT governance within organizations and government. Many of these tools and resources can be accessed free of charge. CIS actively monitors cyber threats to help national and local governments to promote cybersecurity procedures through the Multi-State Information Sharing and Analysis Center (MS-ISAC).

MS-ISAC provides members with resources and tools for improved IT governance, cybersecurity notifications, and reports on active cyber threats. CIS offer different programs to organizations to promote cybersecurity procedures.

 

What is CIS Compliance?

CIS compliance means meeting CIS security standards. CIS compliant organizations will have an established baseline for protecting their systems and data from cyberattacks. This baseline should satisfy the CIS benchmarks, which cover a vast set of vendors and systems.

Though CIS benchmarks stand alone, compliance with them is part and parcel of broader IT risk management strategy. CIS benchmarks align with essential industry regulations, including the NIST Cybersecurity Framework and HIPAA. As a result, organizations prioritizing CIS compliance will simultaneously achieve compliance with other industry regulations. 

Compliance scores measure an organization’s overall compliance. This score reflects how well the organization adheres to CIS benchmarks when configuring its systems and data. These scores can reveal where the organization needs to improve its security, something that can also support internal audit. 

Audit teams need to familiarize themselves with every part of the system to determine whether or not configurations meet the CIS Benchmarks; compliance scores can tell them where to begin their review.

 

What Are CIS Benchmarks?

CIS Benchmarks are frameworks for calibrating a range of IT services and products to ensure the highest standards of cybersecurity and a vital part of your organizations CIS compliance objectives. They're developed through a collaborative process with input from experts within the cybersecurity community. There are more than 100 different benchmarks covering a range of well-known vendors and systems. CIS Benchmarks provide compliance guidance for all areas of an IT network, including operating systems, server systems, office software and network devices.

CIS Benchmarks are free to download and use. The documents cover everything from initial set up to configuration of all parts of the IT system. The guidance is regularly updated and renewed to reflect new iterations of the IT service or product. CIS Benchmarks represent the baseline settings to ensure an IT system or product is secure. The aim is to enhance international cybersecurity standards in all types of organizations, including PCI DSS. CIS Benchmarks are used by organizations, governments and institutes across the world.

CIS Benchmarks are compatible with existing IT risk management policies and procedures like internal audit. Internal audit can use CIS Benchmarks as a tool to evaluate configurations for systems and data. Once the audit is complete, teams can implement the recommended CIS controls to secure the organization against cyberattacks. CIS Compliance requires organizations to follow specific controls for each benchmark, including malware and behavioral detection. 

What Is the Structure of CIS Benchmarks?

Each benchmark follows a similar structure. The beginning provides an overview of the benchmark, outlining definitions and the benchmark’s intended audience.

The bulk of the CIS Benchmarks document is a series of recommendations to ensure the correct configuration of an IT system. Each CIS Benchmark may have hundreds of recommendations grouped into different policies and areas of the IT system. 

Each recommendation follows the same structure. It includes a description, the rationale behind the guidance, the impact it may have on cybersecurity, and how to implement it. There is also guidance on performing an internal audit to confirm CIS compliance.

Scored & Unscored CIS Recommendations

Each recommendation is either ‘scored’ or ‘not scored.’ ‘Scored’ recommendations are mandatory to achieve CIS compliance, and if not met, they lower the total benchmark score. Recommendations that are ‘not scored’ have no impact on the overall score of the benchmark. CIS Benchmarks contain a checklist appendix that helps compliance monitoring for each recommendation.

 

How Are CIS Benchmarks Developed?

CIS Benchmarks are developed with input from a range of volunteer cybersecurity and IT system experts. Every CIS Benchmark completes a two-step process of consensus review.

The first step sees a panel of cybersecurity experts create, discuss and test a draft version of the benchmark recommendations. Once the experts agree on the draft CIS benchmark guidance, it is published for review by the broader community of cybersecurity experts.

The second step has a network of cybersecurity professionals from across the globe review the CIS Benchmark recommendations. The expert panel collects and reviews feedback from the wider community and amends the benchmark to ensure best practice standards.

Further updates to CIS benchmarks will generally be triggered by new versions of the IT system or product being released.

 

What Are CIS Benchmark Profiles?

To help organizations with implementation, each recommendation within a CIS Benchmark is assigned a level-1 or level-2 profile. The profile levels represent the potential impact of a recommendation on the organization’s IT systems and cybersecurity defense. It helps organizations understand which recommendations meet their cybersecurity needs and available resources. Profiles reiterate the importance of using a test environment when implementing CIS Benchmark recommendations.

  • Level-1 Profile: These profiles are generally assigned to surface-level recommendations that can be implemented quickly. Organizations will generally be able to continue normal operations when introducing recommendations of this level.
  • Level-2 Profile: These profiles are linked to recommendations that deal with areas of significant importance to IT systems and cybersecurity. The recommendations will cover policies and parts of IT systems that are vital to cybersecurity. Level-2 profiles deal with areas with heightened security considerations or where there is a risk of negative impact on IT systems.

 

Why Use CIS Benchmarks to Achieve CIS Compliance?

CIS Benchmarks help organizations set up IT and technology systems to ensure best practice cybersecurity defense. Guidelines play an important role in forming an organization’s cybersecurity policy. There are benchmarks for many types of technologies, including popular operating systems and browsers.

Each element of an organization’s IT network may have cybersecurity vulnerabilities if not configured correctly. Through CIS Benchmark compliance, organizations can secure IT systems using a framework developed by leading cybersecurity experts. These benchmarks also pave the way toward compliance with other critical industry regulations, like the NIST.

Benefits of compliance for CIS Benchmarks include:

  • Strengthen vulnerabilities that can cause serious cybersecurity incidents.
  • CIS Benchmarks are aligned to the best-known IT systems and technology.
  • Free to download and embed.
  • Developed with expert input from a community of cybersecurity specialists.
  • A clear tool for enhancing IT governance procedures.
  • Safeguard vital IT systems within an organization, from operating systems to networks.
  • Build a foundation of compliance with other essential industry regulations.

 

How to Use CIS Benchmarks

CIS Benchmarks provide standards for the proper configuration of a range of IT technologies and systems. Covering everything from desktop software to mobile devices, these systems are integral to any modern organization. 

Organizations can use CIS compliance standards to make focused improvements to specific areas of their IT systems. Properly embedding IT systems will strengthen vulnerabilities in an organization’s IT network, improving cybersecurity defense.

CIS Benchmarks can be grouped into seven main areas:

1. Server Software:  CIS Benchmarks guide the proper configuration of different server software from various vendors. This includes commonly used server software such as VMware or Microsoft Windows Server. The aim is to strengthen cybersecurity through best practice configurations across different areas of the IT server system. 

There are CIS Benchmarks for database servers, web servers, DNS servers and authentication servers. Recommendations cover storage settings and restrictions, admin controls and server settings.

2. Multi-function Print Devices: Print devices have become targets for cyber threats as a gateway into an organization’s network. Recommendations cover topics like file sharing, server configurations and secure access to wireless networks.

3. Cloud Providers:  Best practice cybersecurity configurations for setting up the most well-known cloud services and infrastructure. There are benchmarks for cloud services and infrastructure from Amazon Web Services, Microsoft Azure, Oracle Cloud Infrastructure and Google Cloud Computing Platform. Recommendations cover network settings, safeguards to ensure compliance with regulations and IT governance and management.

4. Mobile Devices:  These benchmarks focus on Apple iOS and Google Android mobile operating systems and devices. They provide guidance for configuring Apple iOS, iPadOS and Android operating systems. Recommendations cover topics such as browser and developer settings, app permissions and privacy and mobile operating system settings.

5. Desktop Software:  CIS Benchmarks provide best practice configuration for desktop software commonly used within modern organizations. This includes benchmarks for the Microsoft Office suite of software, an integral part of the modern office.

CIS benchmarks are also provided for the top web browsers, including Google Chrome, Mozilla Firefox, Safari and Microsoft web browser. Recommendations cover areas like browser settings, management of third-party software, server settings and device management.

6. Network Devices:  These CIS Benchmarks help configure network devices and hardware used within an organization’s IT system. These cover network devices and products from various vendors, including Cisco, Juniper, Check Point Firewall and Palo Alto Networks. 

These recommendations help to ensure cybersecurity standards across all network devices and hardware within an organization to enhance and strengthen the overall IT Governance strategy.

7. Operating systems:  CIS Benchmarks help to ensure proper cybersecurity configurations for a range of the top operating systems widely used by organizations. This includes Linux, Microsoft Windows and servers, and Apple macOS. Benchmarks are mapped to different iterations of these operating systems, with best practice guidance for both enterprise and personal versions.

Operating systems form a core part of any organization’s IT systems. CIS Benchmarks help organizations configure them securely, closing vulnerabilities and lowering the risk from cyber threats. Best practice recommendations cover protocols for driver installation, user profile management and remote access restrictions.

 

What Is CIS Certification?

Organizations that provide cybersecurity products as a service can get CIS certification for the product. This certifies that the product in question is compatible with the cybersecurity recommendations in the relevant CIS Benchmark.

Organizations must have CIS Security Software Vendor (SSV) membership before getting certified. Certification proves that the IT product or system meets best-practice cybersecurity standards. It also means users can configure the product to meet CIS Benchmark recommendations.

Organizations will need to test and document the product to demonstrate compliance with CIS Benchmarks. The Center for Internet Security will then need to validate the test results before providing certification. Once certified, organizations can display the CIS-certified logo alongside the product to highlight CIS compliance. Potential customers will know that the product complies with CIS Benchmarks, informing IT governance decisions.

What is the CIS certification process?

To achieve CIS certification, organizations must first be members of CIS Security Software Vendor (SSV) group. The next step is to record and submit evidence to prove compliance with a CIS Benchmark. Certification is against one CIS Benchmark.

To prove compliance, organizations will need to perform tests against each recommendation in the CIS Benchmark. Results are collected and submitted in the main section of the application. Documentation explores each recommendation’s pass or fail state and highlights any exemptions or mitigating factors. This includes detailed explanations for any failure.

It will usually take around two weeks for the Center for Internet Security to review a certification application. This process will take longer if the organization isn’t compliant, needs to make improvements or submits an incomplete application.

 

Using Cyber Risk Management Tools to Meet CIS Compliance Objectives

Planning, tracking and embedding CIS Benchmarks can seem complex, especially in the face of ever-evolving regulations. But following CIS benchmarks is a critical part of protecting valuable systems and data from cyberattacks. 

The right solution can help effectively demonstrate CIS compliance. Find out how combining a risk-based approach to cybersecurity with automation and data analytics tools can lead to more actionable data and greater transparency.

Download our eBook Shifting Cybersecurity from Compliance to a Risk Focus today.

Business has its risks. We can help.
Find out how Diligent can help you execute on your key risk initiatives.
Background image
Related Insights
Michael Nyhuis
Michael Nyhuis is the former Director of Audit & Compliance at Diligent and a modern governance expert with over 25 years of experience.