Are CIS Benchmark™ recommendations associated with a severity rating (high, medium, low)?
Product Name
CIS Benchmarks™
Product Version
all
Date
Jul 23, 2020
Problem
How do we determine which recommendations should be remediated first to close the most critical security gaps?
Solution;
Each recommendations in a benchmark holds a weight of 1, meaning one recommendation does not hold more importance or a higher severity level than the other.
As each organization reviews and implements the recommendations within a benchmark in a different way, a setting you might rate at the highest criticality another organization may rate at a lower priority. Of course, the more recommendations that can be implemented without negatively impacting your environment the better.
We recognize that 100% compliance may not be practical for many organizations, but closing as many security gaps as possible is the real success story. As a reference point, most organizations fall within the 70-100% passing rate and that percentage really varies based on the requirements and unique tailoring to their environment.
If you have specific questions about a recommendation or setting within a benchmark, please feel free to participate within the community of that particular benchmark on our WorkBench platform by opening a discussion thread. Providing feedback and developing conversations surrounding our benchmarks and recommendations allows us the opportunity for continuous improvement of our products.