About CIS Security Benchmarks Division

Overview

The Security Benchmarks division (formerly the Center for Internet Security) helps organizations improve their security posture by reducing risk resulting from inadequate technical security controls.  To accomplish this, the Security Benchmarks division facilitates the consensus-based development of  (1) best practice standards for security configuration, (2) tools for measuring information security status, and (3) resources for making informed security investment decisions.

The Security Benchmarks division has built a reputation as a trusted, independent authority that possesses the ability to quickly facilitate the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions.  In turn, this reputation has resulted in our resources being recommended as the de facto security configuration standards and even required by a number of laws and regulations such as FISMA, PCI, and the OWASP Top 20.

The Security Benchmarks division is a community that includes:

• Professionals with IT security expertise who share their knowledge and experience with others to develop best practice guidance for the global Internet community.
  More than 1,500 volunteer subject matter experts (SMEs) have participated in the development of nearly 60 consensus security configuration benchmarks for operating systems, software applications, network devices and mobile devices. Over one hundred SMEs are participating in development of the consensus-based IT security metrics definitions.

• Professionals whose corporations, organizations and government agencies are Security Benchmark division members, or who are Individual Members of the division.
  Through the CIS Security Benchmarks Members web site, more than 2,300 people have direct access to CIS-CAT, Benchmarks with enriched content in machine-readable format, as well as technical discussion forums. The membership provides valuable input for the Security Benchmarks team regarding what security projects will be undertaken.

Through CIS consensus-building initiatives, individuals and organizations from…:

• all levels of government
• the higher education community
• entities in nearly all sectors of business and industry

. . . collaborate with . . .

• developers of commercial software and hardware
• IT security software companies, consultants and managed service providers

. . . to . . .

help enterprises around the world manage the risks related to information security by providing methods and tools to measure, monitor and improve the security status of their Internet-connected IT systems and devices.

The tremendous commitment to excellence and collaboration through which our volunteers and members operate are instrumental in our collective success.

Back to Top

Mission

The mission of the division is to establish and promote the use of consensus-based best practice standards to raise the level of security and privacy in Internet-connected systems, and to ensure the integrity of the public and private Internet-based functions and transactions on which society increasingly depends.

Back to Top

CIS Security Benchmarks Division Resources

The division develops and distributes a number of resources to assist organizations and individuals in improving their cyber security posture. All of the consensus configuration benchmarks and metric definitions, which are developed via extensive collaboration with volunteer subject matter experts, are distributed free of charge:

The CIS Security Benchmarks Division develops and distributes:

• Security Configuration Benchmarks, which describe consensus best practices for the secure configuration of target systems. Configuring IT systems in compliance with these Benchmarks has been shown to eliminate 80-95% of known security vulnerabilities. The Benchmarks are globally used and accepted as the de facto user-originated standard for IT security technical controls.

• Security Metrics, which offer enterprise IT and security teams insight into their own security process outcomes.
• Benchmark Assessment Tools for assessing compliance with CIS Benchmarks.

 

Some additional resources—such as CIS-CAT and benchmarks with enriched content in machine-readable format—are developed exclusively by paid contractors, with no involvement by community volunteers. These resources are distributed only to division members via the member’s web site.

 

The division continually assesses the needs of its members and the community to provide value-added resources and services.  We welcome feedback to assist us in that process. 

 

To access the complete repository of resources available through the division, please visit our Security Resources page.

 

To learn more about becoming a member and gaining access to members-only resources, visit our Membership page.

 

To learn more about the CIS Security Benchmarks Trademarks and Logos, visit our Trademarks page.

 

Back to Top

 

The Terms of Use under which CIS Security Benchmark Resources Are Distributed

A variety of valuable use cases for the CIS benchmarks and security metrics definitions are enabled via the Terms of Use under which they are distributed free of charge to the Internet community.

For example, the benchmarks are widely used by security professionals as a key resource in guiding the development or reviewing system/device configuration policies in their enterprises. The metrics are becoming increasingly used as a resource for defining the outcome and process data enterprises collect and utilize for security program and risk management decision support.

One may download them directly from the CIS web site onto his or her computer, and may create and distribute hard copies of the guides, without alteration, to his or her colleagues. However, the Terms of Use includes some restrictions as well. For example, electronic distribution in any form is prohibited. This restriction serves two objectives: (1) because CIS resources are updated periodically this restriction helps ensure that user communities are not exchanging out-of-date configurations guidance, and (2) it provides employees of member organizations that provide financial support for development of the resources the added convenience and efficiency of distributing them electronically within their enterprises.

Terms of Use for Downloading CIS Security Benchmarks Resources

For a complete list of the terms and conditions under which you may download CIS resources, please refer to the Terms of Use Agreement .

Distribution Rights and Terms of Use for CIS Security Benchmarks Members

To compare the Terms of Use that apply to CIS Security Benchmarks Members to the Terms of Use that apply to the Internet Community at large, please see the table on our Membership Categories page.

Security Software Vendor Membership

Membership provides security software vendor companies eligibility for CIS Software Certification to use the CIS benchmark content in their products. Membership also allows security consultants and auditors to use CIS Security Benchmarks resources in consulting/auditing engagements with external customers.

Consultant/Auditing Membership

Membership allows security consultants and auditors to use the CIS Security Benchmarks resources in consulting/auditing engagements with external customers.

 

Back to Top