Learn the basics about security benchmarks, and specifically how the security benchmarks developed by the Center for Internet Security (CIS) can help you with your compliance initiatives.
by Sean Sherman, CISSP, CISA, PMP, CPISM
Addressing Compliance
Initiatives with Tripwire and the
Center for Internet Security (CIS)
white paper
Configuration Control for Virtual and Physical InfrastructuresExecutive Summary
As more and more organizations face an ever-expanding number Obviously, you want to avoid being on the end of the of compliance initiatives, both large and small firms are spending spectrum with more compliance deficiencies, but to do so, you more than ever. The challenge is to figure out where to begin must set up a compliance program with the appropriate tools, with compliance efforts and how to estimate the work, cost and processes and procedures. To make the job easier, you should risk associated with those efforts. It might seem counterintui- depend on tools and methods that will make the most of the tive that organizations are spending more on compliance given investment, drive faster compliance and stronger security. In the current economic downturn, but one reason is straight- the end, the initial outlay will ensure you make the most of forward-these organizations recognize that although being your security investment. compliant does not always equate to being secure, the end In this paper, you will gain the background you need to result of compliance is often a more secure, less risky business. build an effective compliance program by understanding bench-Typically the security holes plugged by being compliant are the marks, the basic building blocks of compliance initiatives. In ones that would put an organization at risk for breach, direct particular, you'll learn about the benchmarks specified by the theft and fines for non-compliance if left unplugged. And while Center for Internet Security (CIS), which are often used as a the number of compliance initiatives is growing, it is interesting starting point for creating a compliance initiative.to note that many of these initiatives tend to call for the same controls. Those organizations that invest earlier and consistently on Introductioncompliance up front may find themselves at an advantage. Do any of these situations/questions sound familiar?It turns out that organizations that check for and report . Your IT system needs to become more secure. How and where compliance issues at least monthly have the fewest compliance do you start that work? problems. Conversely, organizations that check for and report . Your compliance initiative calls for systems to be "hardened." less frequently (every 9 months to yearly) have larger issues What does that mean?and costs due to more compliance deficiencies remaining . You just went to a conference on security. Now you are wor-undetected, and therefore uncorrected, for a longer period. ried that your systems are not using "best practices" for secure The following chart illustrates how compliance deficiencies configuration. How will you determine best practices?increase with decreased frequency of checking IT controls and configurations. If you are like the IT security professionals in many leading organizations, you want a proven path to securing your orga-nization's IT systems. You want prescriptive guidance that tells Higher you what to do and how to do it, and you want to optimize your IT department by deploying standards that are already Num cybe uen published and vetted. If all of this describes what you're look-r o eqf Co Frm ent ing for, then you are looking for a security benchmark.plia ssmnc se The concept of the benchmark has been around for a while, Greater Number e Fi e As Increasednof Compliance di cng lian Frequency of and a number of sources for security best practices and security Findings s pom ComplianceC hardening advice are available. Common sources include the gov-Associated with AssessmentLess Frequent Tracks to Fewer ernment, IT vendors and the Center for Internet Security (CIS). In Assessments Finding this paper, you'll learn about the CIS and its products and overall mission. In addition, you'll learn about Tripwire's association with CIS. Finally, we will discuss the common issues with use of benchmarks and their relationship to standards, regulations and Higher frameworks.
2 | WHITE PAPER | Addressing Your Compliance Initiatives with Tripwire and the Center for Internet Security (CIS)While the CIS benchmarks are free, the CIS organization What is CIS? also exists for the benefit of its members. Me... [download for more]
