Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 4 Next »

Product Name

CIS Benchmarks

Product Version

All

Date

Grab info from Elizabeth's PowerPoint

Problem

How do CIS Controls relate to the CIS Benchmarks?

Solution

The CIS Controls are a general set of recommended practices for securing a wide range of systems and devices. Each control is uncategorized into a total of 153 safeguards and these are then identified by implementation groups (IG1, IG2, IG3). This is the list of CIS controls -https://www.cisecurity.org/controls/cis-controls-list/ . Here is our CIS Controls FAQ page - https://www.cisecurity.org/controls/cis-controls-faq/#:~:text=the%20CIS%20Controls.-,What%20is%20the%20relationship%20between%20the%20CIS%20Controls%20and%20the,software%20applications%2C%20and%20network%20devices.

Benchmarks are guidelines for hardening specific operating systems, middleware, software applications, and network devices.  Each recommendation in a Benchmark is linked to a CIS Control.

Example 1: Windows 10 Enterprise Release 21H1

Benchmark recommendation 1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' (Automated). This refers to Version 8 Control 5.6: Centralize Account Management through a directory or identity service. This is a subcategory of the main control 5 to protect sensitive data through controlled use of the user accounts and authentication systems- IG2, IG3. 

Example 2: Oracle Linux 8 v1.0.0

Benchmark, recommendation 1.1.1.1 lists that it is related to control 5.1, which you could document in the CSAT tool.

For example

(This will be every benchmark and assessment report)
CIS Controls:
Version 7
5.1 Establish Secure Configurations
Maintain documented, standard security configuration standards for all authorized operating systems and software

The above example means that recommendation 1.1.1.1 in the Oracle Linux 8 Benchmark is linked to CIS Control 5.1

Here is a picture of control 5.1 in the CSAT Hosted tool

Use the audit procedure in the Benchmark to gather evidence that you are compliant with the Benchmarks recommendation and then upload that evidence to CSAT to prove you are compliant with the CSAT Control. You prove you are compliant with CSAT Control 5.1 by implementing the CIS Oracle Linux 8 Benchmark recommendation 1.1.1.1

Keywords; Controls Benchmark

Content by Label

Copyright © 2020

Center for Internet Security®

Privacy Policy

  • No labels

0 Comments

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.