Why We Love (and Trust) the CIS Benchmarks

We recently announced a new partnership with the Center for Internet Security (CIS) and that Sicura will now include the integrated CIS-CAT®  Pro Assessor to further assist organizations with the implementation of CIS Benchmarks™. 

CIS is a nonprofit membership organization that creates and maintains globally recognized best practices for securing IT systems and data. At Sicura, we’ve worked with CIS for years and Sicura is certified for enforcement and remediation of the CIS Benchmarks. Today, we’re sharing a bit more about why we decided to partner with CIS and why we are such big fans of their standards. 

Here are three reasons we love CIS: 

We Trust The Tech (and the People)

CIS is great about updating and maintaining their benchmarks. As policies and threats evolve, we trust that CIS is keeping up-to-date and releasing new benchmarks quickly. 

CIS offers wide applications for their benchmarks, too. You can use the CIS-CAT scanner to assess and enforce CIS compliance across Linux and Windows operating systems as well as middleware such as Microsoft SQL Server, Apache Tomcat, and Google Kubernetes Engine (GKE). 

We integrated the CIS-CAT Pro scanner into Sicura because we think it’s the best scanner on the market. It clearly demonstrates compliance with CIS Benchmarks, and integrates well into other tools and workflows. The CIS Workbench offers an easy-to-navigate place to find all the different standards and benchmarks. 

We love the CIS team, too. They invest in building relationships with their customers and partners.

The Benchmarks are Broadly Applicable

CIS has invested in aligning the benchmarks with other public standards, such as CMMC, and HIPAA. Even if a specific policy requirement isn’t formatted for the CIS-CAT Pro Assessor, CIS will make recommendations and suggestions for how members can start to achieve compliance. For example, HIPAA maps many of their recommendations from their operating system benchmarks as well as recommendations for users, data privacy, devices, and other assets. 

Recently, CIS has begun building DISA-STIG compatible benchmarks so they can operate in both government and commercial sectors, meeting standards that matter to both types of organizations. 

CIS is broadly relevant.Their variety of mappings are relevant to financial services, retail, technology, utilities, state and local government… pretty much any sector you could think of. They are rapidly growing to be the organizational standard. 

In an interconnected world, an organization’s security posture is linked to every organization in their supply chain of information, including those institutions you might not expect, such as credit monitoring agencies, advertising firms, and telecommunications companies. Knowing that the vendors and partners you work with are CIS compliant means that your organization and others can be confident in the risk mitigation strategies of the whole chain. 

It’s Easy to Get Started 

When we talk to organizations about creating or improving their technical compliance program, we often hear that they don’t know where to start. They’re worried that improving their cyber hygiene will require time they don’t have or bringing their whole system down to start from scratch. Luckily, that’s not the case. 

CIS offers a free version of their assessor, which is a great first step for a team considering implementing CIS Benchmarks. A quick scan of your environment will tell you your current status and make some recommendations on what to fix first. 

When you’re ready to being the process of becoming CIS compliant, you can do so with Sicura. Within two weeks, Sicura will be deployed to your system and assessing, enforcing, and remediating the CIS Benchmarks across your infrastructure - without risking downtime or breaking critical operations. With our new partnership, you’ll get access to the CIS Benchmarks without purchasing a separate CIS Membership - it’s all in one. 

If you’re interested in getting CIS Compliant, or already partner with CIS and want to answer the question of “What’s next” after a scan, get in touch. We’re offering complimentary assessments and trials to any organization pursuing CIS compliance in July and August.