Sign up for our newsletter! →

The CIS benchmark: An Accessible Way to Protect Your Devices and Workplace

Written By
HanaByte blog on The CIS Benchmark by Jeff Pemberton

The ever changing threats of our cyber landscape are rapidly becoming more varied and more complicated. Thankfully, The CIS (Center for Internet Security) has been helping in this fight with strong recommendations for security controls since the early 2000s. 

Since its founding in October 2000, CIS (Center for Internet Security) has continuously released new security benchmarks. These benchmarks provide a wide variety of users with the guidelines to secure their work environments. They cover cloud providers, desktop software, DecSecOps tools, mobile devices, print devices, operating systems, and server software. Every benchmark is available publicly and for free!

CIS Benchmarks Creation Overview

The CIS benchmarks are more than a list of controls, they provide an in-depth explanation about the reasoning of each control and even walk you through step-by-step instructions for how to implement them. The Consensus Community and the CIS SecureSuite work together to provide an in depth plan for securing different platforms with the security benchmarks. The benchmark census communities are open to anyone who can contribute. This provides a communal place for subject matter experts, vendors, technical writers, and CIS SecureSuite members to get together and discuss new controls for the platforms they specialize in. The entire process requires the help of all volunteers. From the initial definition of scope and first draft to listening to feedback from the community the benchmark is created with full consensus of the community involved. This provides a wealth of knowledge toward the platform in question and vetted controls you can be sure have been closely examined by an ever growing community of professionals. According to CIS, the amount of volunteers in their benchmark communities has reached 12,000 and they are continuously looking for more. Committing even a tiny block of time for ticket reviews or control submissions is invaluable to the effort of the group as a whole. Everyone’s participation shapes the benchmarks. If you would like to be a volunteer for CIS benchmark development you can apply here!

Be a Part of the Community

As mentioned above, the roles available for the consensus communities are Subject Matter Experts (SMEs), trained experts with in depth knowledge about the platform or product the benchmark is being created for that can lead development and submit their own recommended controls for review. Technical writers, skilled and highly detailed writers willing to proofread submissions for new benchmarks and ensure the controls are portrayed in a user friendly way. Testers, volunteers with the access to the products in questions, should be able to implement and test the controls and provide feedback to the rest of the community based on their experience setting the controls. Finally, the contributor role allows volunteers to submit tickets to request changes to existing or new benchmarks and can be a valuable resource to anyone looking for answers about the benchmarks. Together the consensus community creates a strong team aimed at creating a valuable resource for all of us. As an added bonus volunteers can receive CPEs (Continuing Professional Education credits) and have the chance to be recognized publicly in the documentation. CIS currently has 107 publicly available communities, if all this sounds like something you’d like to be a part of you can find them all on the CIS Communities page after creating a free account.

A Quick Look Into Benchmarks

Getting a peek into the benchmark of your choice is very simple! You may browse and download any of the available benchmarks from the CIS Benchmark page and begin to use them to secure your business or private environment from cyber threats. The itemized lists of controls will supply you with in-depth and current instructions for each control and provide the community’s rationale for each one. No obligation is insisted upon the user to contribute or donate to CIS for this service. The mission is simply the betterment of the internet as a whole. With more secure practices, awareness, and risk mitigation we can strengthen ourselves against the tide of ever increasing threats and maybe even provide a deterrent for future attempts against access into our systems. Existing benchmarks range from AWS, GCP, and Azure cloud platforms to CIsco Network devices or Google Chrome.

We Can Help

While the benchmarks are accessible to all, the time available for implementation is not quite as available. If you’ve taken a look at the benchmarks it’s clear that some time needs to be set aside to review the documentation before implementation is possible, that’s where Hanabyte can help! Our team of certified professionals have extensive knowledge of many services you will find benchmarks for. We can help you understand the impact of controls by providing clear explanations and highlighting the ones your company’s users will notice, allowing you to breathe easy knowing our team of experienced experts are available for insight at any point during the process.

Relevant Blogs

Michael Greenlaw HanaByte blog on AFT to ATO
Automation

From AFT to ATO: The Prequel

The purpose of this installment was originally to continue our journey; however, I was fortunate enough to speak on this topic in-depth at HashiTalks. Due to its technical nature, we thought it better to complete the blog series by taking a step back and providing a discussion about what the tool is, the problems it solves, and how it can empower us…

Read More →
Hanabyte blog, HanaByte, FedRAMP, Containers
Compliance

An Overview of Container Security for FedRAMP

In this article, we will explore container vulnerability scanning, frame the vulnerability management requirements in a FedRAMP context, and provide commentary on the new FedRAMP PMO updates to container scanning requirements for cloud service providers (CSPs)…

Read More →