So you need CIS compliance?

Introduction

Asset tracking and configuration management are key for reliable IT operations – ask any MSP who’s walked into a new customer and discovered as many different versions of Windows as there are workstations! The Center for Internet Security (CIS) benchmarks let you avoid “reinventing the wheel” to create secure baseline configurations for assets. This includes assets of all kinds: servers, workstations, network devices, firewalls, phone systems, etc. Utilizing CIS benchmarks to configure their systems and protect against cyberattacks makes your organization "CIS Compliant".

CIS also publishes a set of "CIS Controls," which are prescriptive guidelines for configuring devices and applications according to a set of best practices. These best practices cover devices (e.g., workstations), applications (e.g., database software), data (e.g., protected health information), networks (e.g., routers and firewalls), and users (i.e., corporate access policies). The controls are divided into three implementation groups, IG1, IG2, and IG3, indicating a higher and higher level of security. CIS controls map to commonly used regulatory and industry compliance requirements such as HIPAA, PCI-DSS, etc.

CIS Benchmarks

In this post, we’ll focus on CIS benchmarks, which require two things:

• A set of configuration templates that contain recommended "correct" configurations and cover all the IT devices at the customer site.
• A way of auditing and checking the actual device configurations against the templates to ensure that all devices are configured according to the requirements.

CIS benchmarks fall under NIST SP 800-70 “checklists,” guidelines for developing a security configuration checklist - basically, a set of instructions or procedures for configuring an IT product for a specific customer. Checklists can either be written procedures, automated scripts, or even XML templates specifying configurations. In some cases, vendors or third-party entities may construct a checklist for a particular device (e.g., a firewall) that covers the setup of the firewall for a specific task (e.g., complying with HIPAA requirements).

Note that CIS benchmarks are intended to help organizations configure their assets. They do not mandate or prescribe specific functions or devices that an organization must procure. Organizations are expected to work with service providers and vendors to select the proper functions and features or select and follow an appropriate NIST SP 800-70 checklist.

CIS Compliance Levels

The CIS benchmarks are classified into three profiles, of ascending order of security:

Level 1 is a base profile that can be implemented quickly, does not have a high-performance impact, and reduces the "attack surface" of the organization.

Level 2 is a higher-security profile intended for security-conscious organizations, but can have an adverse performance impact if not implemented properly.

STIG (formerly Level 3): The Security Technical Implementation Guide profile follows DoD cybersecurity requirements, and is generally the highest level of CIS benchmark. It was developed in conjunction with DISA (Defense Information Systems Agency); as can be imagined, STIG doesn’t apply to most SMBs.

CIS compliance is ranked using a scoring system designed to show compliance to the CIS benchmarks by an SMB configuring their systems. Scores increase as more devices are configured using benchmark checklists, and also increase as more of the checklist is followed for each device. The highest score is reached when 100% of the devices are configured with 100% checklist compliance.

Uplevel Devices and CIS Compliance

In several ways, the Uplevel Systems product complies with the Level 1 CIS benchmark without additional configuration requirements. This is because Uplevel Systems products ship "out of the box" with a default security configuration that provides the "attack surface" reduction aimed at by CIS Level 1. Some examples:

• The internal stateful firewall is always on and always presents a minimum attack surface on the public Internet.
• Wi-Fi access always mandates a strong (8+ character) password.
• Guest access is always isolated and firewalled off from the remainder of the system.
• VLAN configurations for traffic isolation are always propagated to all network devices consistently.

Compliance with CIS Level 1, and a consistent configuration setup across all customers for an MSP, is therefore possible by simply not overriding the factory-shipped defaults.

Compliance with Level 2 CIS benchmarks requires additional configuration and is hence associated with NIST 800-70 checklists. CIS Level 2 should be achievable by documenting a standard configuration checklist that is followed when setting up or auditing an Uplevel system, for example:

• Always turning on Threat Analysis (IDS/IPS) and Content Filtering, and maintaining the same settings across all customers.
• Consistently using VLANs to separate devices and employees by business functions (e.g. adhering to PCI-DSS by placing all payment devices on a separate VLAN/SSID)
• Enabling Active Directory and configuring appropriate policies and accounts (e.g. adhering to HIPAA by setting passwords, screen locking, and removable media controls)

Since all of the configurations of the Uplevel products are accomplished via a "single pane of glass" dashboard, complying with CIS Level 2 is relatively simple. A checklist can be created to cover the specific customer organizational needs, identifying the features and functions on the dashboard that need to be enabled and configured. Once that is done, adherence to the checklist is very straightforward.

About Uplevel Systems

At Uplevel Systems, we prioritize CIS compliance to deliver reliable and secure IT solutions. Our products align with CIS benchmarks, providing asset tracking, configuration management, and adherence to best practices outlined in the CIS controls. With default security configurations meeting CIS Level 1, and our user-friendly dashboard simplifying CIS Level 2 compliance, we empower businesses of all sizes to enhance their cybersecurity posture. Partner with us for comprehensive IT solutions that prioritize your organization's security and success.