Center for Internet Security

The Center for Internet Security (CIS) is a non-profit enterprise whose mission is to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. Click Here to learn more about CIS's mission. CIS members develop and encourage the widespread use of security configuration benchmarks through a global consensus process involving participants from the public and private sectors. The practical CIS Benchmarks support available high level standards that deal with the "Why, Who, When, and Where" aspects of IT security by detailing "How" to secure an ever widening array of workstations, servers, network devices, and software applications in terms of technology specific controls. CIS Scoring Tools analyze and report system compliance with the technical control settings in the Benchmarks. The CIS Benchmarks and Scoring Tools are available for download free of charge to the Internet community from this web site.
CIS Charter	CONTENTS
Version 1.23 4/1/2002 This document describes the Center for Internet Security– a not-for-profit cooperative organization assisting network users and operators, and their insurers and auditors, to reduce the risk of significant disruptions of electronic commerce and business operations due to technical failures or deliberate attacks.	A Need for Benchmarks Representing Best Global Practices A Model Successful in Other Industries Why a Center for Internet Security The Beneficiaries Vendor Involvement The Benchmarks Benefits for Members Structure and Funding Action Plan Participants in the Process An Opportunity to Become a Member About the Center Staff Key Milestones
A Need for Benchmarks Representing Best Global Practices
Imagine a world without automobile safety requirements. Imagine going into a store to buy an electric appliance without the benefit of an Underwriters Laboratory tag to tell you that the appliance will not harm your home's electrical system. That is the world in which every computer user lives today. Most successful attacks that disrupt computers and network systems exploit flaws and vulnerabilities inadvertently created and distributed by the system vendors. Attacks such as the ILOVEYOU virus and distributed denial of service attacks demonstrate the potential for wide-scale economic chaos. Large enterprises that are significantly dependent upon the Internet, like eBay or Amazon, are especially at risk. However, it is clear that anyone who has a computer connected to the Internet is vulnerable. Corrections, defenses, or patches exist for most of the flaws, but when those patches are not installed, the systems are vulnerable and attacks succeed. Poor or incomplete operating practices also contribute to disruptions and attacks. A key element to Internet security is useful and widely accepted, non-proprietary security-enhancing benchmarks specifying in greater detail how systems should be configured and operated. In October of 2000, the time had come to build upon the available high-level guidance, and produce more detailed and explicitly measurable benchmarks that are based on recognized best practices. Without established and widely used Benchmarks, system users and operators were on their own in answering questions such as: What do I need to do to make my systems sufficiently reliable and secure, based on my organization's assessment of the costs of security measures versus the value of operating reliable systems for my customers? How much is enough? What method can I use to determine the minimum level of due care based on best practice benchmarks needed to reduce my enterprise risk to an acceptable level? Whom can I trust to tell me what I need to do and to help me protect my systems and networks? Widely accepted security/reliability benchmarks were also needed to enable safe business-to-business e-commerce because organizations open their networks to partners. They must trust the systems and users in those partner organizations and , to do so, they need to know how well those other organizations are protecting their systems. The Center for Internet Security was established in October of 2000 to provide the impartial expertise, guidance, and analysis to fill these missing elements in computer security. Since that time, CIS and its membership has facilitated the development of 27 open security-enhancing benchmarks that incorporate the knowledge of a wide range of recognized best practice organizations and experts. The CIS Benchmarks are an efficient and inexpensive solution for organizations (or their consultants) who don't want "reinvent the wheel" in determining how to implement effective security actions. This approach has helped compensate for the severe shortage of information security personnel in relation to the burgeoning demand for those skills. More detailed technical benchmarks have made it possible to develop methods of auditing compliance, enabling IT users and insurance providers to more explicitly calculate the risks they face. ^TOP
A Model Successful in Other Industries
The Center is modeled after other highly successful initiatives where key stakeholders have come together for joint action to reduce risk. The current state of computer security, in many ways, resembles the state of automobile safety about forty years ago. At that time, automakers were reluctant to adopt new safety measures. People cause crashes, it was said; therefore people, not vehicles, needed to change. At that time, it was also said that consumers were resistant to safety devices in automobiles This situation began to change when insurance companies, public interest organizations, and others directly affected by auto safety weaknesses came together to form the Institute for Highway Safety. Working together, in consultation with auto engineers, the Institute for Highway Safety developed data and analyses for auto safety improvements. To the great benefit of consumers and the automotive industry, their recommendations were adopted over time. Another example is the National Insurance Crime Bureau, a not-for-profit organization, supported by approximately 1000 insurance companies, that works to facilitate the identification, detection, and prosecution of insurance criminals. ^TOP
Why a Center for Internet Security
The Center strives to reduce the frequency of failures and attacks, and the losses that arise from them. The mission of the Center is to help organizations around the world effectively manage the organizational risks related to information security by providing them with methods and tools to improve, measure, monitor, and compare the security status of their own Internet-connected systems and appliances plus those of their business partners. The Center is not tied to any proprietary product or service. It manages a consensus process whereby members will articulate security threats that concern them, followed by prioritization and development of benchmarks and accreditation methodologies to reduce the threats of concern to members. The consensus process is already in use and has proved viable in creating widely adopted Internet security practices. We actively seek your counsel, participation, and support in creating the best practice benchmarks and shaping the work of the Center ^TOP
The Beneficiaries
By enabling joint action to reduce risks, the Center strives to represent the shared interests of: Network and information technology users – the individuals, companies, universities, government agencies, and not-for-profits that depend on secure and reliable cyber systems; Auditors and security consultants who need explicit technical benchmarks and accredited auditing tools to evaluate network reliability and ensure that they are accurately measuring the right things; Network Security Administrators, Firewall Administrators, and Systems Security Specialists whose job it is to ensure the security, privacy, integrity, and availability of information assets under their custodial care; Business-to-Business e-commerce exchanges, network operators, and others who have a direct stake in minimizing risk exposure of IT users to network disruptions and cyber crime; Insurance providers – the people whose business it is to quantify the costs of risks and enable organizations to insure against resulting damage; and Investors and consumers who need a way to identify businesses and networks that have taken appropriate steps to ensure their security and reliability. ^TOP
Vendor Involvement
The Center provides opportunities for participation by hardware and software developers, and network security vendors and consultants, to identify the steps that system and network vendors and service providers can take that are most likely to protect their users, clients and partners from Internet security losses. The Center, however, is independent of vendor interests in order to provide impartial, objective guidance. ^TOP
The Benchmarks
The Center provides Internet security benchmarks based on recognized best practices for deployment, configuration, and operation of networked systems. The Center’s security-enhancing benchmarks encompass all three factors in Internet-based attacks and disruptions: technology (software and hardware), process (system and network administration) and human (end user and management behavior). The benchmarks are open, that is, publicly available to everyone. The Center’s Internet security benchmarks are intended to: Provide managers, business partners and insurance underwriters with a security ‘ruler’, where each increment on the ruler represents a set of security-enhancing actions. This security ruler will enable an organization to select the level of security deemed appropriate for that enterprise and implement the specific technical actions associated with the security level chosen; Include interventions that can be implemented before, during, and after attacks to reduce losses; and Be subject to customization, where appropriate, for specific industries and risk profiles such as those needed by the healthcare sector to implement the extensive privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Technical requirements without enforcement mechanisms are rarely effective. To ensure that the benchmarks are more than paper products, the Center will develop and deploy: Compliance/auditing methodologies, including automated vendor tools certified by the Center, to ensure efficient and accurate compliance with the benchmarks; Accreditation guidelines for system administrators and auditors to allow them to demonstrate a high level of proficiency in implementing and auditing against the benchmarks, and Methods of maintaining confidentiality that encourage CIS members and others to share information that supports keeping the benchmarks up-to-date. Cyber attacks will continue; therefore the benchmarks will be enhanced and updated to ensure that available benchmarks respond to real losses. ^TOP
Benefits for Members
Widely accepted and trusted security-enhancing benchmarks are a fundamental driver of increased network security. Among the benefits specifically accruing to members: IT users and network providers can use the benchmarks to evaluate their own operations. The Center provides members with multiple benefits: Enable members to base their security programs on recognized best practices from the combined expertise and knowledge of many different organizations, removing the current uncertainty that arises from multiple conflicting sources of guidance. Provide better and lower cost solutions than creating in-house guidance from scratch or provide a much more fully developed starting point for customized benchmarks that they will build themselves; Provide shared audit methodologies, and accreditation of auditors and system administrators to enhance confidence in the results; Increase public trust that their private data are safe; Provide a best-practice benchmark based definition of ‘due diligence’ in risk management strategy. Auditors may distinguish themselves by accreditation to the Center’s benchmarks and auditing methodologies and tools. Auditors may also license the accreditation methodologies and tools for offering as an additional service to clients. Insurance providers may underwrite using the benchmarks as a basis, and require the insured to demonstrate and maintain compliance. Benchmarks are a baseline for defining requirements for obtaining and maintaining insurance coverage; Recognized benchmarks lower the cost and intrusiveness of underwriting evaluations; Accrediting auditors/security evaluators provides additional confidence and quality control in overall risk assessment; Overall, the center will help both to expand the market for cyber-security insurance, and to establish appropriate quality benchmarks. B2B Networks will require compliance with the benchmarks as the basis for participation on the network – to provide a level of trust based on a common level of security actions by all network partners. Managed Service Providers may use accreditation as a baseline requirement to define one dimension of ‘quality of service’ and distinguish themselves from non-accredited providers. ^TOP
Structure and Funding
The Center’s benchmarks are created via a participatory process involving a network of active practitioners and researchers who provide the constantly up-to-date best-practice knowledge base. This structure helps ensure that consensus is reached rapidly and provides timely and high-touch member services. The Center also works with and through respected research and technical organizations that have demonstrated practical excellence in areas of information security of importance to the community of users, auditors, and insurers served by the Center. The Center generates its revenue through: Membership fees paid by end user organizations, insurers, auditors, and Internet service providers who will also help shape the programs offered by the Center; Auditor training and certification fees; Certification fees for auditing tools and methodologies; Product certification fees A grant from the CIO Institute provided the initial funding for the Center. ^TOP
Action Plan
The Center for Internet Security began operation on October 1, 2000, and initially has focused on four major tasks: · Compare and reconcile differences among the following sets of process-level security requirements: BS7799 security requirements established by the British Government SysTrust™ requirements established by the AICPA COBIT requirements established by the Information Systems Audit and Control Association GAO’s FISCAM (Federal Information System Controls AuditManual) IETF (Internet Engineering Task Force) Site Security Handbook I²SF (International Information Security Foundation) GASSP (Generally Accepted System Security Principles) NIST (National Institute of Standards and Technology) Principles and Practices for Security of IT Systems The result of this work is a document of the composite process-level requirements from the above sources, published by the Center. Pull together and prepare for review and comment as noted below, the valuable technical work already completed or currently underway related to security-enhancing technical actions for specific operating systems. Sources include the following: The Top Ten Internet Security Threats (and how to avoid them) developed by a consortium of 40 Internet security leaders including the NSA, DoD, Internet Security Systems, Network Associates, Global Integrity, Ernst & Young, Intrusion.com, SANS, CERT/CC and several universities and other groups; Solaris recommendations by Titan, YASSP, and SANS Step-by-Step Guide; Windows 2000 recommendations by NSA; IRIX and AIX recommendations developed by Virginia Tech Linux recommendations by the Institute for Security Technology Studies at Dartmouth Windows NT 4.0 recommendations by GIAC participants The result of this work is draft sets of operating system-specific technical benchmarks based on global best practices that are circulated for review and input as noted below. Coordinate a review and consensus process involving Center members and other organizations having an interest in using the benchmarks and rulers, with a goal of reaching consensus on a final set of minimum benchmarks and rulers to be used as a basis for demonstrating due care. This process involves multiple rounds of review, commenting and redrafting, beginning with the draft benchmarks. It ends when the majority of the group agrees to support the draft benchmark and ruler. Establish an Internet Appliance Testing and Certification Laboratory to test and certify the security status of the burgeoning supply of vendor appliances coming to market. ^TOP
Participants in the Process
The Center works with and through other leading organizations that have developed requirements and processes and research that can contribute to the common goal of reducing losses from Internet Security breaches. In addition to involving these groups in the process of deciding on the minimum requirements forming a basis for demonstrating due care, the Center looks to them for guidance and suggestions to help shape its other programs and governance structure: System and network vendors will be asked to provide guidance on what processes can be altered in the development, delivery and support of products that would reduce the number of flaws and/or improve the adoption rate of patches. System and network administrators – the front-line soldiers in the war against Internet attacks – will be asked to provide guidance on what benchmarks they need to meet and what benchmarks they use to secure their systems, and what vendors can do to make the whole process more effective. They will also be asked what information they require on a continuing basis to maintain their systems at the level of security they require. Insurance underwriters will be asked to provide guidance on what level of validation they need to establish risk and pricing. Security product and services vendors will be asked to provide guidance on how their products can be fairly assessed as to their efficacy and safety. Leading auditing associations (The Information Systems Audit Control Association, the Institute of Internal Auditors, the AICPA, and others) will be asked to provide guidance on which of their controls can be used effectively to compare the levels of compliance with the benchmarks. Universities will be asked to provide end user and research guidance. Computer Incident Response Teams will be asked for guidance on the best practices in preparing for and responding to attacks. Law enforcement agencies will be asked for guidance on organizational processes and policy initiatives that would enhance the success rates of finding and prosecuting attackers. Major security training organizations will be asked to provide guidance on how to assess the readiness of their graduates to take on various security responsibilities. Organizations experienced in business-to-business e-commerce will be asked how they ascertain whether their business partners have adequate security and what benchmarks they would want to have in place. ISACs and other Federal and commercial organizations that assess the security of tools and the performance of security tools will be asked what benchmarks they use to determine passing grades. Comparative studies of various types of tools such as biometric identification devices will be gathered and catalogued. Consulting firms will be asked what specific information allows them to decide how much security to recommend and what minimum benchmarks they expect to find in various situations. Security managers will be asked for guidance on what levels of end user awareness and knowledge of security issues and actions can be expected. They will also be asked for guidance on the best practices in monitoring the level of compliance with benchmarks that their systems maintain. This will include representatives of commercial firms as well as universities and others whose day-to-day survival depends on having secure, trusted systems ^TOP
An Opportunity to Become a Member
We actively seek the knowledge, involvement, and support of individuals and organizations who have a substantial interest in creating workable security-enhancing benchmarks and who desire to be a Member of this historic initiative. Members receive a number of benefits: (1) they have an active voice in the development of the benchmarks, (2) they receive timely updates to the benchmarks and scoring tools, including electronic notification when updates are available, (3) they secure the right to claim compliance with the CIS Benchmarks with auditors, and business partners, and (4) they are authorized to use The Center’s logo on their organizations’ websites and documents. To become a Member, please go to the Membership page on our website (www.cisecurity.org). The categories of Membership are: Category 1 – Consultants, Auditors and Commercial Software Companies Category 2 – User Organizations Category 3 – Individuals The membership fee covers a one year period beginning upon receipt of the member’s application. ^TOP
About the Center Staff
Franklin Reeder, Chairman Previously: Director of the Office of Administration in the Executive Office of the President, responsible for information technology and telecommunications, human resources, finance, accounting and budgeting; Chief of Information Policy, Deputy Associate Director and Assistant Director of the U.S. Office of Management and Budget where, among many other accomplishments, he helped develop the Privacy Act of 1974 and the Computer Security Act of 1987. Currently consultant to the OECD, fellow of the National Academy of Public Administration, columnist for Government Executive magazine and chairman of the National Computer System Security and Privacy Board (CSSPAB). Clint Kreitner, President/CEO Previously: President of a multi-hospital region of Adventist Health System and member of its Board of Directors, founder and president of two computer software and services firms, Director of Computer Aided Ship Design for the Navy and Director of the Design Division of the Pearl Harbor Naval Shipyard. Bert Miuccio, Vice President Previously: An operations management and business development executive with several prominent health and human services organizations. Dave Shackleford, Vice President Previously: CTO of a security consulting firm, Director of Information Security for a major airline, and a security engineer and architect at several Fortune 1000 companies. Currently: SANS Instructor and courseware author Steve Kreitner, In-House Counsel & Director of Administrative Services Previously: Director of Risk Management and the Institutional Review Board at Florida Hospital, a 7 campus, 1750 bed hospital located in Orlando, Florida. ^TOP