Versions Compared

Version Old Version 2 New Version Current
Changes made by

Nick Romanzo

Parami Swenson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS Benchmarks

Product Version

All

Date

Grab info from Elizabeth's PowerPoint

Problem

Info

How do CIS Controls relate to the CIS Benchmarks?

Solution

The CIS Controls are a general set of recommended practices for securing a wide range of systems and devices, whereas CIS Benchmarks are guidelines for hardening specific operating systems, middleware, software applications, and network devices. Here . Each control is categorized into a total of 153 safeguards and these are then identified by implementation groups (IG1, IG2, IG3). This is the list of CIS controls -https://www.cisecurity.org/controls/cis-controls-list/ . Here is our CIS Controls FAQ page - https://www.cisecurity.org/controls/cis-controls-faq/#:~:text=the%20CIS%20Controls.-,What%20is%20the%20relationship%20between%20the%20CIS%20Controls%20and%20the,software%20applications%2C%20and%20network%20devices.

Each Benchmarks are guidelines for hardening specific operating systems, middleware, software applications, and network devices.  Each recommendation in a Benchmark is linked to a CIS Control. For example, in the Oracle Linux 8 v1.0.0 PDF Benchmark,

Example: Windows 10 Enterprise Release 21H1

Benchmark recommendation 1.1.1 .1 lists that it is related to control 5.1, which you could document in the CSAT tool.

For example

(This will be every benchmark and assessment report)
CIS Controls:
Version 7
5.1 Establish Secure Configurations
Maintain documented, standard security configuration standards for all authorized operating systems and software

The above example means that recommendation 1.1.1.1 in the Oracle Linux 8 Benchmark is linked to CIS Control 5.1

Here is a picture of control 5.1 in the CSAT Hosted tool

Image Removed

(L1) Ensure 'Enforce password history' is set to '24 or more password(s)' (Automated). This refers to Version 8 Control 5.6: Centralize Account Management through a directory or identity service. This is a subcategory of the main control 5 to protect sensitive data through controlled use of the user accounts and authentication systems- IG2, IG3. 

Use the audit procedure in the Benchmark to gather evidence that you are compliant with the Benchmarks recommendation and then upload that evidence to CSAT to prove you are compliant with the CSAT Control. You prove you are compliant with CSAT Control 5.1 6 by implementing the CIS Oracle Linux 8 Windows 10 Enterprise Release 21H1 Benchmark recommendation 1.1.1.1

Note

Highlight important information

Keywords; Controls Benchmark

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2020

Center for Internet Security®

Privacy Policy

Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

Created by

Nick Romanzo Parami Swenson (Unlicensed)

Reviewed by

Approved by

Remove by