THE CENTER FOR INTERNET SECURITY

Benchmarks/ Tools

CIS Benchmarks
For the first time ever, a large group of user organizations, information security professionals and auditors have agreed on security configuration specifications that represent a prudent level of due care, and are working together to define consensus best-practice security configurations for computers connected to the Internet.

Now you can determine how your systems measure up to these widely accepted security benchmarks.

In accordance with the CIS not-for-profit mission, the Benchmarks and Scoring Tools are available free on this web site.

Benchmarks and Scoring Tools are Now Available to the public for the following:

OPERATING SYSTEMS
Solaris (Level-1)
Linux (Level-1)
HP-UX (Level-1)
Windows XP Professional (Multi-Level)
Windows 2000 (Level-1)
Windows 2000 Professional (Level-2)
Windows 2000 Server (Level-2)
Windows NT (Level-1)

NETWORK DEVICES
Cisco IOS Router (Levels-1 & 2)

APPLICATIONS
Oracle Database(Level 1&2)
New Benchmarks and Scoring Tools in development by teams of CIS members:

APPLICATIONS
SQL Server (Level-2)
Windows IIS Web Server (Level-2)
Apache Web Server (Level-2)
Sendmail (Level 1 & 2)
Exchange Server 2003 (Level 1 & 2)

OPERATING SYSTEMS
AIX (Level-1)
FreeBSD (Level-1)
MAC OS X (Level-1)
Windows 2003 Server
OS 400

NETWORK DEVICES
Check Point FW-1/VPN-1 (Levels 1 & 2)
Cisco PIX Firewall (Levels 1 & 2)
Cisco CAT Switches (Levels 1 & 2)
Juniper Routers (Levels 1 & 2)
Active Work to Update Currently Released Benchmarks and Scoring Tools:

APPLICATIONS
Oracle Database (Level 1 & 2)

OPERATING SYSTEMS
Windows 2000 Professional
Windows 2000 Server
Solaris
Linux
HP-UX

Click Here to see what users say about CIS Benchmarks and Scoring Tools.

For More Information Click Here

What is CIS?

The Center for Internet Security mission is to help organizations around the world effectively manage the risks related to information security. CIS provides methods and tools to improve, measure, monitor, and compare the security status of your Internet-connected systems and appliances, plus those of your business partners.

CIS is not tied to any proprietary product or service. It manages a consensus process whereby members identify security threats of greatest concern, then participate in development of practical methods to reduce the threats. This consensus process is already in use and has proved viable in creating Internet security benchmarks available for widespread adoption.

For More Information Click Here

Join Us

We invite you to join us - more than 170 member companies, educational organizations, government and law enforcement agencies plus individuals from around the world - in our quest to raise the level of security for everyone's information assets that are connected to the Internet.

Click here to see a list of current CIS members.
Click hereto open the registration form as an HTML/Text document.
Click here to open the registration form as a .pdf file document.

Benefits of Membership
#1. An active voice in the development of Benchmarks that are quickly becoming widely accepted as a prudent due care security standard for organizations of all types.
#2. The right to distribute the benchmarks and tools within your organization. (User Members and Consulting Members only are entitled to this benefit)
#3. Timely electronic notification of updates to the Benchmarks and Scoring Tools.
#4. Visibility for your organization's tangible commitment to Internet security through its inclusion in the Roster of Members on the CIS website and promotional materials.
#5. The right to use the CIS Membership Mark on your organization's website and documents, establishing its status as a leader in working with others to formulate better security standards for systems connected to the Internet (User Members and Consulting Members only are entitled to this benefit). Click Here to see a copy of the CIS Membership Mark.
#6. Working and networking with other highly skilled people from organizations around the world, both virtually and in person during periodic CIS meetings.
#7. Eligibility for licensing the commercial use of CIS resources, CIS certification of commercial software, and designation by CIS as an Information Security Pacesetter. (Category 1 Members only are entitled to this benefit.)

Who should be a CIS member?
The Center represents the shared interests of:

• Users-Organizations that depend on secure and reliable cyber systems; Auditors who strive to verify the security of clients' automated information systems in a way that is consistent with their audit of other standards-based business processes;
• IT Consultants who help clients improve their system security configurations to levels that are widely accepted as prudent due care or best practice;
• Security Software Vendors who market commercially available tools that assess and report the conformity of system security configurations with the settings and actions defined in CIS benchmarks;
• ISPs, Web Hosting Companies, Business-to-Business e-Commerce Exchanges, and others who have a direct stake in minimizing their customers' risk of business disruptions and cyber crime;
• Insurance Companies that strive to minimize the underwriting risk associated with the information assets of the businesses which they insure;
• Network security specialists, firewall administrators, and others whose job it is to ensure the security, privacy, integrity, and availability of information assets under their custodial care; CIS is a not-for-profit consortium not tied to any proprietary product or service.

For More Information Click Here

The Benchmarks

The Center provides Internet security benchmarks based on recognized best practices for deployment, configuration, and operation of networked systems. The Center’s security-enhancing benchmarks encompass all three factors in Internet-based attacks and disruptions: technology (software and hardware), process (system and network administration) and human (end user and management behavior). The benchmarks are open, that is, publicly available to everyone.

The Center’s Internet security benchmarks are intended to:

• Provide managers, business partners and insurance underwriters with a security ‘ruler’, where each increment on the ruler represents a set of security-enhancing actions. This security ruler will enable an organization to select the level of security deemed appropriate for that enterprise and implement the specific technical actions associated with the security level chosen;
• Include interventions that can be implemented before, during, and after attacks to reduce losses; and
• Be subject to customization, where appropriate, for specific industries and risk profiles such as those needed by the healthcare sector to implement the extensive privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Technical requirements without enforcement mechanisms are rarely effective. To ensure that the benchmarks are more than paper products, the Center will develop and deploy:

• Compliance/auditing methodologies, including automated vendor tools certified by the Center, to ensure efficient and accurate compliance with the benchmarks;
• Accreditation guidelines for system administrators and auditors to allow them to demonstrate a high level of proficiency in implementing and auditing against the benchmarks, and
• Methods of maintaining confidentiality that encourage CIS members and others to share information that supports keeping the benchmarks up-to-date.

Cyber attacks will continue; therefore the benchmarks will be enhanced and updated to ensure that available benchmarks respond to real losses.

Benefits for Members

Widely accepted and trusted security-enhancing benchmarks are a fundamental driver of increased network security. Among the benefits specifically accruing to members:

IT users and network providers can use the benchmarks to evaluate their own operations.

The Center provides members with multiple benefits:

• Enable members to base their security programs on recognized best practices from the combined expertise and knowledge of many different organizations, removing the current uncertainty that arises from multiple conflicting sources of guidance.
• Provide better and lower cost solutions than creating in-house guidance from scratch or provide a much more fully developed starting point for customized benchmarks that they will build themselves; Provide shared audit methodologies, and accreditation of auditors and system administrators to enhance confidence in the results;
• Increase public trust that their private data are safe;
• Provide a best-practice benchmark based definition of ‘due diligence’ in risk management strategy.

Auditors may distinguish themselves by accreditation to the Center’s benchmarks and auditing methodologies and tools. Auditors may also license the accreditation methodologies and tools for offering as an additional service to clients.

Insurance providers may underwrite using the benchmarks as a basis, and require the insured to demonstrate and maintain compliance.

• Benchmarks are a baseline for defining requirements for obtaining and maintaining insurance coverage;
• Recognized benchmarks lower the cost and intrusiveness of underwriting evaluations;
• Accrediting auditors/security evaluators provides additional confidence and quality control in overall risk assessment;
• Overall, the center will help both to expand the market for cyber-security insurance, and to establish appropriate quality benchmarks.

B2B Networks will require compliance with the benchmarks as the basis for participation on the network – to provide a level of trust based on a common level of security actions by all network partners.

Managed Service Providers may use accreditation as a baseline requirement to define one dimension of ‘quality of service’ and distinguish themselves from non-accredited providers.

About the Center Staff

Franklin Reeder, Chairman
Previously: Director of the Office of Administration in the Executive Office of the President, responsible for information technology and telecommunications, human resources, finance, accounting and budgeting; Chief of Information Policy, Deputy Associate Director and Assistant Director of the U.S. Office of Management and Budget where, among many other accomplishments, he helped develop the Privacy Act of 1974 and the Computer Security Act of 1987. Currently consultant to the OECD, fellow of the National Academy of Public Administration, columnist for Government Executive magazine and chairman of the National Computer System Security and Privacy Board (CSSPAB).

Clint Kreitner, President/CEO
Previously: President of a multi-hospital region of Adventist Health System and member of its Board of Directors, founder and president of two computer software and services firms, Director of Computer Aided Ship Design for the Navy and Director of the Design Division of the Pearl Harbor Naval Shipyard.

Bert Miuccio, Vice President
Previously: An operations management and business development executive with several prominent health and human services organizations.

John Banghart, Director of Benchmark Services
Previously: Information and Security Director with an Internet services firm.

Steve Kreitner, In-House Counsel & Director of Administrative Services
Previously: Director of Risk Management and the Institutional Review Board at Florida Hospital, a 7 campus, 1750 bed hospital located in Orlando, Florida.

Dave Waltermire, Lead Software Developer