CIS Logo
tagline: Confidence in the Connected World

3 Steps to Deploying Your Golden Image by Tailoring CIS Benchmarks™

If you’re looking to create the ideal “golden image” or machine image template, get ready to do a little customization. But where to start? There are lots of different best practices and security standards available. Some are vendor-driven. Others, like the CIS Controls™ and CIS Benchmarks™, are community-driven. The CIS Controls and CIS Benchmarks provide foundational cybersecurity for servers, operating systems, applications, and more. They are consensus-developed, independent security recommendations trusted by users around the world for hardening IT infrastructure.

Step 1: Identify a secure baseline.

Secure configuration for hardware and software is essential to defending against cyber attacks. It’s the focus of CIS Control 5:



You can download CIS Benchmarks for free in PDF format for over 140 technologies, including network devices, cloud providers, and desktop software. Security and compliance standards including PCI DSS reference the CIS Benchmarks. The CIS Controls and CIS Benchmarks can assist in obtaining PCI DSS in these areas:

  • Firewall and Router Configurations
  • Patch Management
  • Access Control
  • Change Control

Step 2: Customize.

Depending on your organization’s needs, you may want to tailor the template to create a true golden image. You can do this manually by reviewing the recommendations against a test environment. Make a note of anything that disrupts the necessary business activity. Weigh the risk against the control using a risk method like CIS RAM, and you’ll be able to determine which specific configurations don’t apply to your environment. The customized, secure standard is your new golden image.

CIS SecureSuite® Members can tailor CIS Benchmarks using the CIS WorkBench platform. Members can generate customized files including Word, Excel, and machine-readable OVAL and XCCDF.

Learn about tailoring

Step 3: Assess & monitor.

Assess your target systems against the golden image to identify and remediate any configuration gaps. Once your machines are up-to-date, regularly monitor them for “configuration drift,” which occurs when settings change over time. This can happen due to users modifying configurations, applications being added or removed, or updates to existing programs.

If you want to speed policy to implementation, you can schedule automated assessments against a golden image. Using CIS-CAT Pro, CIS SecureSuite Members can compare target machines against their golden image and monitor for configuration drift.

A Golden Opportunity

By starting with a secure baseline and tailoring configurations as needed, you can create the ideal golden image for an environment. This helps you deploy securely configured machines. Through CIS SecureSuite Membership, you can create a golden image with ease and generate files for automation. Using CIS-CAT Pro, you can monitor machines for changing configurations and stay secure over time.