CIS Compliance Made Easy
Uncover the landscape of CIS Compliance.
Compliance. If you’re like most people, your shoulders tensed a little just at the mention of the word. As malicious acts increase in sophistication and effectiveness, however, cybersecurity is more important than ever. It protects your brand, your financial stability, and the data of your employees and customers.
At a high level, most compliance requirements are vague. They focus on broad language, like “establishing and maintaining baseline configurations”. The good news is that the Center for Internet Security (CIS), a nonprofit organization of IT professionals defining cybersecurity best practices, has parsed out specific controls to enact to achieve that secure baseline. The bad news is that manually implementing and maintaining these system-level technical controls is time-consuming and requires specialized skills.
CIS Benchmarks are the secure configuration recommendations mapped to the CIS Controls and best practices identified by technology professionals who actually do the hardening work. With more than 100 CIS Benchmarks across more than 25 vendor product families, you can use them to harden:
- Cloud provider platforms and cloud services
- Desktop software
- Server software
- Mobile devices
- Network devices
- Operating systems
Understanding your path to compliance.
For most companies, the compliance journey starts with a customer or industry requirement. The federal government is perhaps the largest customer requiring compliance, but many private organizations also want to know their supply chain is secure and following best practices. So, someone, somewhere, needs to know how you protect data and wants the documentation to prove it.
There are several paths to achieving that outcome, but the multitool of cybersecurity in the private sector are the CIS Benchmarks. CIS Controls act as a map to guide your journey. Your friend along that journey is NIST SP-800-53, which makes the map better by telling you what control to implement, what it does, and what other actions you may need to take along the way. The two work together to create a plan of action.
The manual process of implementing that plan looks like this:
- Download the appropriate CIS Benchmarks to create a security configuration script that sets the system security settings.
- Using the downloaded CIS Benchmarks, scan the host with the compliance tool or equivalent.
- Perform a security quality assurance test.
- Save this base image.
- Repeat the process until you fully remediate the system or application or fully remediate it less any exceptions or waivers.
- Repeat multiple times a year as new applications are added to the system or when CIS publishes their regular updates.
Today’s technology is highly interconnected, meaning that all systems, applications, and individual components need to work together seamlessly. A problem can have a domino effect across all these interconnected parts, breaking things you wouldn’t have expected and taking time you don’t have. Which means you must repeat the process AGAIN. It’s a time-consuming task that IA’s describe as soul-sucking work. But what choice do you have?
Automating CIS compliance could make all the difference.
The good news is that the entire process—from scanning the system to remediating issues to maintaining security over time and generating reports to prove it—can be automated. SteelCloud’s ConfigOS Command Center is proven for turning weeks of compliance work into an hour at the office. Better yet, it’s an hour that can be manned by a less experienced admin.
As you start down your CIS compliance journey, consider automation as a way to protect both your baseline and your bottom line. Schedule a no-obligation demo to see how it works.