What are CIS Benchmarks?
CIS Benchmarks from the Center for Internet Security (CIS) are a set of globally recognized and consensus-driven best practices that are designed to help security professionals implement and manage cybersecurity defenses. CIS Benchmarks were developed with a global community of security experts, and the guidelines help organizations protect themselves from emerging risks. Companies implement the CIS Benchmark guidelines to limit configuration-based security vulnerabilities in their digital assets1. CIS Benchmarks are important because they outline security best practices for deploying over 25 different vendor products, including guidance on securing legacy systems by taking steps such as disabling unused ports, removing unnecessary app permissions, and limiting administrative privileges. CIS Benchmarks cover the following types of IT systems:
- Operating systems
- Cloud infrastructure and services
- Server software
- Desktop software
- Network devices
- Mobile devices
- Multi-function print devices
CIS Benchmarks align with the following major security and data privacy frameworks:
- National Institute of Standards and Technology (NIST)
- Cybersecurity Framework Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
In order to help organizations determine the appropriate approaches for reaching their unique security goals, CIS Benchmarks assign profile levels to each CIS Benchmark guideline:
Level 1 profile. Configuration recommendations for the Level 1 profile are basic security recommendations for configuring IT systems. They are easy to follow and do not impact business functionality or uptime. These recommendations reduce the number of entry points into your IT systems, thereby reducing your cybersecurity risks.
Level 2 profile. Level 2 profile configuration recommendations work best for highly sensitive data where security is a priority. Implementing these recommendations requires professional expertise and diligent planning to achieve comprehensive security with minimal disruptions. Implementing Level 2 profile recommendations also helps with achieving regulatory compliance.
STIG profile. The Security Technical Implementation Guide (STIG) is a set of configuration baselines from the Defense Information Systems Agency (DISA). The US Department of Defense publishes and maintains these security standards. STIGs are specifically written to meet US government requirements.
1 AWS, 2023, ”What Are CIS Benchmarks?”