What Are CIS Benchmarks and How Do They Help Businesses with Security Compliance?

by Hannah Grace Holladay / September 19th, 2022

CIS Benchmarks are collections of recommendations and best practices for securely configuring servers, networks, software, and other IT systems. Developed by the Center for Internet Security, the benchmarks provide guidance businesses can use to implement secure systems, assess their current level of security, and achieve regulatory compliance. 

Given the number and complexity of IT services and systems, it is challenging for businesses to develop policies and implement procedures that maintain adequate security. CIS Benchmarks provide comprehensive best practices for various platforms and technologies, including cloud platforms like AWS and Microsoft Azure.

In this article, we take a closer look at CIS Benchmarks and how businesses can use them to improve cybersecurity and compliance with information security regulations and standards. 

What is the Center for Information Security?

The Center for Internet Security (CIS) is a non-profit organization that aims to make the internet safe by devising and promoting security best practices. It publishes the CIS Controls and CIS Benchmarks, which are developed in a crowd-sourced consensus-driven process by a membership that includes corporations, government agencies, and other institutions.

What Are CIS Benchmarks?

The CIS Benchmarks are recommendations for securing IT systems. They provide the information businesses need to verify they are following best practices and instructions for best practice implementation.

To look more closely at one of the dozens of CIS Benchmarks, the CIS Amazon Web Services Foundations Benchmark is a 250-page document covering security benchmarks for a wide range of AWS services, including identity and access management, storage, logging, monitoring, and networking. 

Each section provides best practices for commonly used services. For example, the storage section provides guidance for S3, EC2, RDS, and EFS. Each best practice includes a rationale, instructions for verifying the best practice is implemented, and remediation instructions explaining how to secure the service.

The benchmarks are a valuable resource for businesses that need to assess and improve their security posture. That’s why we use the CIS Benchmarks for cloud services—including AWS, Azure, and GCP—as the foundation of our cloud security audits.

CIS Controls vs. CIS Benchmarks

As part of its mission to promote internet security, the CIS publishes the CIS Controls, a compendium of 18 critical security best practices that businesses should follow to defend against known cyberattacks. The controls address many best practices, including for inventory control, data protection, access management, malware, network monitoring, penetration testing, and more. Like the CIS Benchmarks, the CIS Controls are free, and they can be downloaded by any business looking to implement secure systems. 

CIS Controls and CIS Benchmarks differ in specificity. Whereas the CIS Controls offer broad, high-level best practices for a wide range of systems, the CIS Benchmarks offer actionable best practices for specific platforms and technologies, including cloud platforms, operating systems, network-connected devices, and applications. Many CIS Benchmarks refer to the relevant CIS Controls so users can track their progress towards compliance. 

Which Information Security Areas Are Covered By CIS Standards?

CIS Benchmarks cover a wide array of services, platforms, and software, including, among others:

  • Desktop operating systems: Microsoft Windows and macOS.
  • Server operating systems: Debian, Ubuntu, CentOS, RHEL.
  • Server software: Microsoft IIS, Microsoft Windows Server, Nginx, Apache.
  • Virtualization and Cloud Software: VMware, Kubernetes, Docker.
  • Cloud platforms: AWS, Microsoft Azure, Google Cloud Computing Platform, Alibaba Cloud.
  • Desktop software: Microsoft Office, Google Chrome, Safari, Zoom.

What Are CIS Benchmark Levels?

CIS associates each benchmark recommendation with a profile level: Level 1, Level 2, or STIG. The profiles indicate the security level achieved by implementing a recommendation. 

Level 1 recommendations are basic security practices essential to creating a secure IT environment. Level 2 recommendations are high-security recommendations for systems hosting sensitive data or other high-security scenarios. Level 2 recommendations may be more difficult to implement, and they may disrupt a business’s operations. 

For example, the CIS Amazon Web Services Foundations Benchmark contains the following two recommendations, applicable to Level 1 and Level 2, respectively. 

  • Level 1: Ensure CloudTrail is enabled in all regions
  • Level 2: Ensure CloudTrail log file validation is enabled

The STIG profile is intended to help businesses to comply with the Security Technical Implementation Guide, a baseline security standard created by the Defense Information Systems Agency (DISA). The STIG profile includes CIS Level 1 and Level 2 recommendations, as well as additional recommendations required for STIG compliance. 

What are CIS Hardened Images?

CIS Hardened Images are virtual machine (VM) images with configurations that conform to the CIS Benchmarks. A VM image is a snapshot of a computer storage device containing the operating system and key library and utility software. They can be run directly by virtualization software and cloud platforms or copied to a physical server. 

CIS Hardened Images enable businesses to deploy servers and other devices with secure configurations out-of-the-box. Installing a secure VM image is a faster and more reliable way to achieve benchmark compliance than installing an operating system and software and then manually configuring it.

CIS publishes hardened images for most major server operating systems, including Microsoft Windows Server, Amazon Linux, Debian, Ubuntu, CentOS, Oracle Linux, and Red Hat Enterprise Linux. It also publishes images for applications such as Nginx and PostgreSQL. 

Major cloud platforms, including AWS, Microsoft Azure, Google Cloud Platform, and Oracle Cloud, offer CIS Hardened Images in their marketplaces, allowing users to deploy the images directly to virtual servers running on the platform. 

CIS Benchmarks and Regulatory Compliance

Regulatory frameworks and standards impose security and privacy obligations on businesses, but they do not provide concrete guidance for achieving compliance. It’s challenging for businesses to bridge the gap between regulations and real-world implementations on particular platforms. 

CIS Benchmarks are designed to align with major information security regulatory frameworks and standards. In CIS’s language, the recommendations “map” to regulations and standards. Implementing CIS benchmark recommendations can therefore help businesses to comply with aspects of standards and frameworks that include:

  • PCI DSS
  • HIPAA
  • NIST
  • FISMA
  • GDPR
  • ISO 27001

One example of how this works is PCI DSS Requirement 2.2, which requires organizations that process credit card data to “develop configuration standards for all system components…consistent with industry-accepted hardening standards.” CIS Benchmarks qualify as an industry-accepted standard. In fact, they are mentioned in the Requirement as an accepted standard alongside hardening standards from the SANS Institute and the National Institute of Standards Technology (NIST).

Verify Your IT Environment Is Secure and Compliant

CIS Benchmarks make it easier for businesses to secure IT systems and comply with information security standards and regulations. However, compliance should be verified by an independent third party. 

KirkpatrickPrice helps organizations assess, verify, enhance, and demonstrate their security with compliance audits, pen testing, security awareness training, and more. Our comprehensive audit capabilities include:

To learn more, contact a KirkpatrickPrice information security specialist today.