PCI DSS Compliance & CIS Benchmarks
The Payment Card Industry Data Security Standard (PCI DSS) comprises 12 requirements to guide organizations processing cardholder data when securing their systems. PCI DSS Requirement 2 (Do not use vendor-supplied defaults for system passwords and other security parameters) points to the CIS Benchmarks in sub-requirement 2.2 for configuration standards:
In addition, PCI DSS enumerates other requirements for which the CIS Benchmark configuration recommendations are useful for achieving PCI DSS compliance, including:
1.1 Firewall and router configurations
6.1 Patch deployment
7.1 Access control
6.4 Change control
plus numerous other specific requirements.
The PCI DSS document can be found here.
FISMA Compliance and CIS Benchmarks
The NIST National Checklist Program Repository contains the CIS Benchmarks as official configuration guidance for use by federal agencies and other entities who are subject to FISMA compliance requirements. Visit the NIST National Checklist Prograpm Repository for more information.
CIS-CAT Pro Assessor is a validated product for the NIST Security Content Automation Protocol (SCAP) in the following categories:
Authenticated Configuration Scanner
As a NIST validated tool, CIS-CAT Pro Assessor may be used for auditing systems subject to FISMA requirements for compliance with CIS Benchmark configuration recommendations. Visit the NIST Security Content Automation Protocol Validated Products page for further information.
Other Security Standards and CIS Benchmarks
The CIS Benchmark configuration recommendations are widely used to attain compliance with a number of recognized security standards, including:
Graham, Leech, Bliley
Sarbanes-Oxley for all sectors
The above named standards/codes of practice deal with the protection of information in a horizontally comprehensive manner, touching on many facets of information security such as asset classification, access authentication methods and privileges, event logging, segregation of duties, encryption, and others.
Within these standards, the components of information security are typically expressed in a technology brand-agnostic way, and at a level of generality that requires further elaboration of detail prior to operational implementation. It is the brand-specific, operationally detailed and actionable content in the CIS Benchmarks that renders them so useful for implementation of the various security standards and codes of practice noted above.