Compliance

PCI DSS Compliance and CIS Benchmarks

The Payment Card Industry Data Security Standard (PCI DSS) comprises 12 Requirements to guide organizations processing cardholder data when securing their systems.

 

PCI DSS Requirement 2 (Do not use vendor-supplied defaults for system passwords and other security parameters) points to the Center for Internet Security Benchmarks in sub-requirement 2.2 for configuration standards;

2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry accepted hardening standards—for example, SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).

 

In addition, PCI DSS enumerates other requirements for which the CIS Benchmark configuration recommendations are useful for achieving PCI DSS compliance, including:

 

            1.1 Firewall and router configurations

            6.1 Patch deployment

            7.1 Access control

            6.4 Change control

            plus numerous other specific requirements.

 

The PCI DSS document can be found at:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

FISMA Compliance and CIS Benchmarks

The NIST National Checklist Program Repository contains the CIS Benchmarks as official configuration guidance for use by federal agencies and other entities who are subject to FISMA compliance requirements.

 

See http://web.nvd.nist.gov/view/ncp/repository for further information.

 

The Center for Internet Security Configuration Assessment Tool  (CIS-CAT) is a validated product for the NIST Security Content Automation Protocol (SCAP) in the following categories:

            FDCC Scanner

            Authenticated Configuration Scanner

 

As a NIST validated tool, it may be used for auditing systems subject to FISMA requirements for compliance with CIS Benchmark configuration recommendations.

 

See http://nvd.nist.gov/scapproducts.cfm for further information

Other security standards and CIS Benchmarks

The CIS Benchmark configuration recommendations are widely used to attain compliance with a number of recognized security standards, including:

            ISO/IEC 27002

            Graham, Leech, Bliley

            Sarbanes-Oxley for all sectors

            HIPAA

            ITIL

 

The above named standards/codes of practice deal with the protection of information in a horizontally comprehensive manner, touching on many facets of information security such as asset classification, access authentication methods and privileges, event logging, segregation of duties, encryption, and others. 

 

Within these standards, the components of information security are typically expressed in a technology brand-agnostic way, and at a level of generality that requires further elaboration of detail prior to operational implementation.  It is the brand-specific, operationally detailed and actionable content in the CIS Benchmarks that renders them so useful for implementation of the various security standards and codes of practice noted above.