About CIS Security Benchmarks Division
The Security Benchmarks division (formerly the Center for Internet Security) helps organizations improve their security posture by reducing risk resulting from inadequate technical security controls. To accomplish this, the Security Benchmarks division facilitates the consensus-based development of (1) best practice standards for security configuration, (2) tools for measuring information security status, and (3) resources for making informed security investment decisions.
The Security Benchmarks division has built a reputation as a trusted, independent authority that possesses the ability to quickly facilitate the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. In turn, this reputation has resulted in our resources being recommended as the de facto security configuration standards and even required by a number of laws and regulations such as FISMA, PCI, and the OWASP Top 20.
The Security Benchmarks division is a community that includes:
Professionals with IT security expertise who share their knowledge and experience with others
to develop best practice guidance for the global Internet community.
More than 1,500 volunteer subject matter experts (SMEs) have participated in the development of nearly 60 consensus security configuration benchmarks for operating systems, software applications, network devices and mobile devices. Over one hundred SMEs are participating in development of the consensus-based IT security metrics definitions.
Professionals whose corporations, organizations and government agencies are Security Benchmark
division members, or who are Individual Members of the division.
Through the CIS Security Benchmarks Members web site, more than 2,300 people have direct access to CIS-CAT, Benchmarks with enriched content in machine-readable format, as well as technical discussion forums. The membership provides valuable input for the Security Benchmarks team regarding what security projects will be undertaken.
Through CIS consensus-building initiatives, individuals and organizations from…:
- all levels of government
- the higher education community
- entities in nearly all sectors of business and industry
. . . collaborate with . . .
- developers of commercial software and hardware
- IT security software companies, consultants and managed service providers
. . . to . . .
help enterprises around the world manage the risks related to information security by providing methods and tools to measure, monitor and improve the security status of their Internet-connected IT systems and devices.
The tremendous commitment to excellence and collaboration through which our volunteers and members operate are instrumental in our collective success.
The mission of the division is to establish and promote the use of consensus-based best practice standards to raise the level of security and privacy in Internet-connected systems, and to ensure the integrity of the public and private Internet-based functions and transactions on which society increasingly depends.
The division develops and distributes a number of resources to assist organizations and individuals in improving their cyber security posture. All of the consensus configuration benchmarks and metric definitions, which are developed via extensive collaboration with volunteer subject matter experts, are distributed free of charge:
The CIS Security Benchmarks Division develops and distributes:
- Security Configuration Benchmarks, which describe consensus best practices for the secure configuration of target systems. Configuring IT systems in compliance with these Benchmarks has been shown to eliminate 80-95% of known security vulnerabilities. The Benchmarks are globally used and accepted as the de facto user-originated standard for IT security technical controls.
- Security Metrics, which offer enterprise IT and security teams insight into their own security process outcomes.
- Benchmark Assessment Tools for assessing compliance with CIS Benchmarks.
Some additional resources—such as CIS-CAT and benchmarks with enriched content in machine-readable format—are developed exclusively by paid contractors, with no involvement by community volunteers. These resources are distributed only to division members via the member’s web site.
The division continually assesses the needs of its members and the community to provide value-added resources and services. We welcome feedback to assist us in that process.
To access the complete repository of resources available through the division, please visit our Security Resources page.
To learn more about becoming a member and gaining access to members-only resources, visit our Membership page.
To learn more about the CIS Security Benchmarks Trademarks and Logos, visit our Trademarks page.
For example, the benchmarks are widely used by security professionals as a key resource in guiding the development or reviewing system/device configuration policies in their enterprises. The metrics are becoming increasingly used as a resource for defining the outcome and process data enterprises collect and utilize for security program and risk management decision support.
Membership provides security software vendor companies eligibility for CIS Software Certification to use the CIS benchmark content in their products. Membership also allows security consultants and auditors to use CIS Security Benchmarks resources in consulting/auditing engagements with external customers.
Membership allows security consultants and auditors to use the CIS Security Benchmarks resources in consulting/auditing engagements with external customers.