CIS Benchmarks are published by the Center for Internet Security (CIS). At the time of this writing, there are more than 140 CIS Benchmarks in total, spanning seven core technology categories. CIS Benchmarks are developed through a unique consensus-based process involving communities of cybersecurity professionals and subject matter experts around the world. These experts continuously identify, refine and validate security best practices within their areas of focus.
How CIS Benchmarks organised?
Each CIS Benchmark includes multiple configuration recommendations based on one of two profile levels. Level 1 benchmark profiles cover base-level configurations that are easier to implement and have minimal impact on business functionality. Level 2 benchmark profiles are intended for high-security environments and require more coordination and planning to implement with minimal business disruption.
There are seven (7) core categories of CIS Benchmarks:
- 1. Operating systems benchmarks cover security configurations of core operating systems, such as Microsoft Windows, Linux® and Apple OSX. These include best-practice guidelines for local and remote access restrictions, user profiles, driver installation protocols and internet browser configurations.
- 2. Server software benchmarks cover security configurations of widely used server software, including Microsoft Windows Server, SQL Server, VMware Docker and Kubernetes. These benchmarks include recommendations for configuring Kubernetes PKI certificates, API server settings, server admin controls, vNetwork policies and storage restrictions.
- 3. Cloud provider benchmarks address security configurations for Amazon Web Services (AWS), Microsoft® Azure, Google, IBM® and other popular public clouds. They include guidelines for configuring identity and access management (IAM), system logging protocols, network configurations and regulatory compliance safeguards.
- 4. Mobile device benchmarks address mobile operating systems, including iOS and Android, and focus on areas such as developer options and settings, OS privacy configurations, browser settings and app permissions.
- 5. Network device benchmarks offer general and vendor-specific security configuration guidelines for network devices and applicable hardware from Cisco, Palo Alto Networks, Juniper and others.
- 6. Desktop software benchmarks cover security configurations for some of the most commonly used desktop software applications, including Microsoft Office and Exchange Server, Google Chrome, Mozilla Firefox and Safari Browser. These benchmarks focus on email privacy and server settings, mobile device management, default browser settings and third-party software blocking.
- 7. Multi-function print device benchmarks outline security best practices for configuring multi-function printers in office settings and cover such topics as firmware updating, TCP/IP configurations, wireless access configuration, user management and file sharing.