Secure configuration is the foundation of cybersecurity and compliance, and as previously discussed, CIS benchmarks are the accepted best practice.
However, organizations often struggle when they try to apply CIS benchmarks to their environments. The necessary assessment and reporting processes are often a sticking point, as they can become highly resource intensive.
In this article, we’ll look at how organizations can apply CIS benchmarks to achieve security and compliance objectives — without overwhelming their human or financial resources.
How To Apply CIS Benchmarks for Compliance
One of the top reasons why organizations decide to build CIS benchmarks into their cybersecurity programs is to help achieve compliance objectives.
There’s an old adage that compliance does not equal security — and that’s true. However, compliance is the introductory bar that organizations must clear when assembling a cybersecurity program. Compliance with major frameworks is often a legal requirement, and non-compliance comes with hefty fines.
So where do CIS benchmarks come in?
Many compliance frameworks point to CIS benchmarks as the accepted best practice for secure configuration. Even when frameworks don’t reference them directly, the communities surrounding those frameworks often recommend CIS benchmarks as an ideal ‘on ramp’ to achieving compliance.
How CIS Benchmarks Map to Major Frameworks
Major compliance frameworks don’t just recommend CIS benchmarks as a good starting point. Many of the industry’s largest and more important frameworks map directly to them. Top examples include:
The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a global information security standard that must be met by any organization that handles credit card payments from any of the major providers. The PCI DSS standard directly references CIS benchmarks (and CIS controls) to help protect payment card information. That makes CIS benchmarks an ideal tool to help organization achieve PCI DSS compliance.
Specifically, CIS benchmarks are referenced by PCI DSS Requirement 2. In combination with CIS Controls, the benchmarks can aid organizations with multiple aspects of compliance, including:
- 1 Firewall and Router Configurations
- 6.1 Patch Management
- 6.4 Change Control
- 7.1 Access Control
The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF)
CIS benchmarks and CIS controls are widely recognized as a best practice starting point for achieving NIST CSF compliance. While the benchmarks help organizations achieve the foundational security position needed for a strong security program, the CIS controls map closely to the wider security requirements of NIST CSF.
The Federal Information Security Modernization Act (FISMA) — a component of NIST — also points to CIS resources for cybersecurity compliance. The National Checklist Program Repository recommends CIS benchmarks to federal agencies and other organizations trying to meet FISMA requirements.
Note that while other industry frameworks may not reference them directly, CIS benchmarks are widely accepted as best practice for secure configuration. They are used by organizations all over the world to achieve compliance with a wide variety of frameworks and regulatory requirements, including the GDPR, HIPAA, ISO/IEC 27001, and many others.
Configuring for Security vs. Compliance
When it comes to secure configuration, a slightly different approach is needed to achieve greater security vs. achieving compliance objectives.
Compliance with industry frameworks is simply a case of ensuring all assets are configured in line with best practice. For most frameworks, that means ensuring all assets within an organization’s environment are in line with CIS benchmarks.
For security purposes, things are less prescriptive. An organization that takes cybersecurity seriously may, as a starting point, decide to maintain asset configuration in line with CIS benchmarks level 2 — a stricter set of standards intended to maximize security through ‘defense in depth’. These higher level standards are more labor intensive to implement and maintain, and are designed for organizations that have greater cybersecurity needs.
Beyond this, security-conscious organizations may decide to augment CIS benchmarks with their own configuration standards. This is likely in highly targeted sectors like telecommunications and government, but may be appropriate for other organizations if:
- They experience a high level of cyber activity; or,
- They rely on technologies that don’t have corresponding CIS benchmarks.
In these cases, organizations should develop a set of additional configuration standards that address their specific needs, and use them in conjunction with the appropriate level of CIS benchmarks.
Reporting on CIS Benchmarks
CIS benchmark reporting doesn’t have to be complex. Each asset — whether it’s a server, an application, or something else — should have an owner. Asset owners should receive regular reports to let them know whether their assets are compliant with the relevant CIS benchmarks. If an asset isn’t compliant, the owner should also receive guidance on how to bring it back into compliance.
While that process may sound simple, it can be difficult in practice. Business environments are often highly complex, which can make it challenging to report on and action configuration issues. This is particularly true if benchmark assessments are completed manually, as regular manual assessments and reporting can be extremely resource intensive.
This is why many organizations use automated CIS benchmark tools — often built into system and file integrity monitoring solutions — to automate the assessment and reporting process.
Interpreting Assessment Results
When an organization first adopts CIS benchmarks, it can be difficult to know what a ‘good’ assessment result is. Configuration management is a complex field, and it’s likely that the first assessment will identify a large number of non-compliance issues. Conducting an initial assessment is an essential first step, as it provides a baseline to measure success against over time.
To identify your organization’s configuration baseline, conduct a manual or solution-assisted assessment of your environment against CIS benchmarks. If you’re using an automated solution, it should provide clear reporting to show how close your organization is to full compliance. With manual assessments, you’ll need to develop a simple reporting process that clearly articulates your organization’s current position. Finally, agree a timeline with all stakeholders to bring the organization into full compliance.
Interpreting the result of further assessments is simple. Further assessments should be conducted regularly to an agreed schedule, and reporting from each assessment should demonstrate progress toward full compliance. Critically, each assessment report should demonstrate that the organization is on track to achieve full compliance within the agreed timescales. To this end, it may be helpful to agree some simple CIS benchmark metrics, e.g., based on the number of outstanding issues.
Applying CIS Benchmarks with CimTrak
CimTrak is an IT integrity, security, and compliance toolset helping to automate the CIS benchmark assessment and reporting process. This provides the ability to track your organization’s progress over time, and drastically reduce the resources and level of effort needed to achieve and maintain compliance.
CimTrak monitors your environment in real-time, and helps assess asset configuration against CIS benchmarks. Where misconfigurations exist, CimTrak raises an alert and creates a report that details precisely how to bring affected assets into compliance.
This functionality makes it easy for organizations to:
Determine their starting point. CimTrak’s automated monitoring provides a clear picture of how your environment stacks up against CIS benchmarks.
Track progress towards full compliance. Manual assessments and reporting are resource intensive and prone to human error. CimTrak provides an accurate, real-time view of your organization’s progress towards full compliance with CIS benchmarks.
Stop misconfiguration issues from creeping in. Assets and files are accessed and changed constantly, making it easy for assets to fall out of compliance. CimTrak raises an alert the moment a new configuration issue arises, making it easy to avoid backsliding between assessments.
To find out more about how CimTrak can help your organization harden its systems and achieve security and compliance objectives, download the solution brief today.
June 9, 2020