Are CIS Benchmark™ recommendations associated with a severity rating (high, medium, low)?

Owned by Chris Boldiston
Last updated: Aug 09, 2021 by Nick Romanzo

 

Product Name

CIS Benchmarks™

Product Version

all

Date

Jul 23, 2020

Problem

How do we determine which recommendations should be remediated first to close the most critical security gaps?

Solution;

  • Each recommendations in a benchmark holds a weight of 1, meaning one recommendation does not hold more importance or a higher severity level than the other.

  • As each organization reviews and implements the recommendations within a benchmark in a different way, a setting you might rate at the highest criticality another organization may rate at a lower priority. Of course, the more recommendations that can be implemented without negatively impacting your environment the better.

  • We recognize that 100% compliance may not be practical for many organizations, but closing as many security gaps as possible is the real success story. As a reference point, most organizations fall within the 70-100% passing rate and that percentage really varies based on the requirements and unique tailoring to their environment. 

  • If you have specific questions about a recommendation or setting within a benchmark, please feel free to participate within the community of that particular benchmark on our WorkBench platform by opening a discussion thread. Providing feedback and developing conversations surrounding our benchmarks and recommendations allows us the opportunity for continuous improvement of our products.

 

Copyright © 2020

Center for Internet Security®