Product Name
CIS Benchmarks
Product Version
All
Date
Problem
How do CIS Controls relate to the CIS Benchmarks?
Solution
The CIS Controls are a general set of recommended practices for securing a wide range of systems and devices, whereas CIS Benchmarks are guidelines for hardening specific operating systems, middleware, software applications, and network devices. Here is our CIS Controls FAQ page - https://www.cisecurity.org/controls/cis-controls-faq/#:~:text=the%20CIS%20Controls.-,What%20is%20the%20relationship%20between%20the%20CIS%20Controls%20and%20the,software%20applications%2C%20and%20network%20devices.
Each recommendation in a Benchmark is linked to a CIS Control. For example, in the Oracle Linux 8 v1.0.0 PDF Benchmark, recommendation 1.1.1.1 lists that it is related to control 5.1, which you could document in the CSAT tool.
For example
(This will be every benchmark and assessment report)
CIS Controls:
Version 7
5.1 Establish Secure Configurations
Maintain documented, standard security configuration standards for all authorized operating systems and software
So the above example means that recommendation 1.1.1.1 in the Oracle Linux 8 Benchmark is linked to CIS Control 5.1
Here is a picture of control 5.1 in the CSAT Hosted tool
Use the audit procedure in the Benchmark to gather evidence that you are compliant with the Benchmarks recommendation and then upload that evidence to CSAT to prove you are compliant with the CSAT Control. You prove you are compliant with CSAT Control 5.1 by implementing the CIS Oracle Linux 8 Benchmark recommendation 1.1.1.1
Highlight important information
Add Comment