Asset tracking and configuration management are key for reliable IT operations – ask any MSP who’s walked into a new customer and discovered as many different versions of Windows as there are workstations! The Center for Internet Security (CIS) benchmarks let you avoid “reinventing the wheel” to create secure baseline configurations for assets. This includes assets of all kinds: servers, workstations, network devices, firewalls, phone systems, etc. Utilizing CIS benchmarks to configure their systems and protect against cyberattacks makes your organization "CIS Compliant".
CIS also publishes a set of "CIS Controls," which are prescriptive guidelines for configuring devices and applications according to a set of best practices. These best practices cover devices (e.g., workstations), applications (e.g., database software), data (e.g., protected health information), networks (e.g., routers and firewalls), and users (i.e., corporate access policies). The controls are divided into three implementation groups, IG1, IG2, and IG3, indicating a higher and higher level of security. CIS controls map to commonly used regulatory and industry compliance requirements such as HIPAA, PCI-DSS, etc.
In this post, we’ll focus on CIS benchmarks, which require two things:
CIS benchmarks fall under NIST SP 800-70 “checklists,” guidelines for developing a security configuration checklist - basically, a set of instructions or procedures for configuring an IT product for a specific customer. Checklists can either be written procedures, automated scripts, or even XML templates specifying configurations. In some cases, vendors or third-party entities may construct a checklist for a particular device (e.g., a firewall) that covers the setup of the firewall for a specific task (e.g., complying with HIPAA requirements).
Note that CIS benchmarks are intended to help organizations configure their assets. They do not mandate or prescribe specific functions or devices that an organization must procure. Organizations are expected to work with service providers and vendors to select the proper functions and features or select and follow an appropriate NIST SP 800-70 checklist.
The CIS benchmarks are classified into three profiles, of ascending order of security:
Level 1 is a base profile that can be implemented quickly, does not have a high-performance impact, and reduces the "attack surface" of the organization.
Level 2 is a higher-security profile intended for security-conscious organizations, but can have an adverse performance impact if not implemented properly.
STIG (formerly Level 3): The Security Technical Implementation Guide profile follows DoD cybersecurity requirements, and is generally the highest level of CIS benchmark. It was developed in conjunction with DISA (Defense Information Systems Agency); as can be imagined, STIG doesn’t apply to most SMBs.
CIS compliance is ranked using a scoring system designed to show compliance to the CIS benchmarks by an SMB configuring their systems. Scores increase as more devices are configured using benchmark checklists, and also increase as more of the checklist is followed for each device. The highest score is reached when 100% of the devices are configured with 100% checklist compliance.
In several ways, the Uplevel Systems product complies with the Level 1 CIS benchmark without additional configuration requirements. This is because Uplevel Systems products ship "out of the box" with a default security configuration that provides the "attack surface" reduction aimed at by CIS Level 1. Some examples:
Compliance with CIS Level 1, and a consistent configuration setup across all customers for an MSP, is therefore possible by simply not overriding the factory-shipped defaults.
Compliance with Level 2 CIS benchmarks requires additional configuration and is hence associated with NIST 800-70 checklists. CIS Level 2 should be achievable by documenting a standard configuration checklist that is followed when setting up or auditing an Uplevel system, for example:
Since all of the configurations of the Uplevel products are accomplished via a "single pane of glass" dashboard, complying with CIS Level 2 is relatively simple. A checklist can be created to cover the specific customer organizational needs, identifying the features and functions on the dashboard that need to be enabled and configured. Once that is done, adherence to the checklist is very straightforward.
At Uplevel Systems, we prioritize CIS compliance to deliver reliable and secure IT solutions. Our products align with CIS benchmarks, providing asset tracking, configuration management, and adherence to best practices outlined in the CIS controls. With default security configurations meeting CIS Level 1, and our user-friendly dashboard simplifying CIS Level 2 compliance, we empower businesses of all sizes to enhance their cybersecurity posture. Partner with us for comprehensive IT solutions that prioritize your organization's security and success.