In Advanced Cyber Solution’s article, “6 Essential Things to Know about CIS Benchmarks”, Chris Payne explores the world of CIS (Center for Internet Security) benchmarking and provides the six most essential things to understand in the process. During a CIS benchmark, there are a variety of apps, devices, and operating systems that are covered, including multi-function printers, Cloud providers, Microsoft Windows OS’s, database software, mobile apps and OS’s, Cisco network devices, and internet browser applications. CIS benchmarks, created and improved by CIS communities comprised of both professionals and volunteers, use an in-depth approach to automate the system hardening process. The article explains how many industries are requiring system hardening to be common-practice, such as with the PCI-DSS (Payment Card Industry Data Security Standard) (Payne, 2018).
As I read the article, I realized it was merely discussing another organization’s product, so I quickly navigated to the CIS’s website to learn more. The Center for Internet Security provides over 140 benchmark tests that can be utilized to both discover and provide solutions to security gaps and threats in a variety of systems. As many organizations tend to either outsource or use automated systems for penetration testing and risk assessments, it seems that the products that CIS offers can be advantageous (CIS, n.d.). While CIS’s tools seem more than up to the task, I must wonder if only using another entity’s product to ascertain security levels is the right choice.
Personally, I would think that keeping the procedure in-house and formed from internally-built processes would be ideal, as using someone else’s work as your own seems to limit any knowledge or experience gained during the project. While I see both the strengths and weaknesses of adopting or following a third-party process such as a security control/framework, I feel that completely relying on someone else’s work to find and close security gaps to work well for initial testing, yet rather unsatisfactory for continued security excellence.
Payne, C. (2018, August 14). 6 Essential Things to Know about CIS Benchmarks. Retrieved February 3, 2020, from https://www.advancedcyber.co.uk/it-security-blog/six-essential-things-to-know-cis-benchmark.
CIS. (n.d.). Center for Internet Security: Confidence in the Connected World. Retrieved February 3, 2020, from https://www.cisecurity.org/.