National Bank Relies on Industry-Recommended Cybersecurity Best Practices

Financial institutions make clear targets for cybercriminals – robbing a bank has always been lucrative, and the internet has not changed that. That’s why organizations should start with secure IT configurations that limit vulnerabilities that could lead to ransomware and other cyber threats. Software and hardware – the doors to an organization’s sensitive systems and data – don’t ship securely. It’s on each of us, as the end-users, to implement security guidelines.

To better understand how one national bank leverages the CIS Benchmarks and CIS SecureSuite Membership to bolster their cybersecurity, we spoke with the bank’s Information Security Engineer, Adam.

Implementing cybersecurity best practices

One challenge faced by organizations such as banks is how to implement and assess against industry-recommended cybersecurity best practices. CIS SecureSuite Membership allows organizations to download CIS Benchmarks in machine-readable formats including XML. This helps tools analyze endpoints against the CIS Benchmarks for conformance. It’s a huge time-saver for the bank. As Adam explains,

Doing this allowed us to quickly and easily deploy industry-recommended security best practice configurations. Without this resource, the hardening of our devices would have taken a lot longer and required many meetings between IT and Security to debate which configuration settings to change and the impact they could have. The CIS Benchmarks provided the necessary information to alleviate many of the fears IT may have had with changing specific settings.

By providing consensus-developed security recommendations in a convenient format, CIS SecureSuite Membership helps Adam’s security team implement cybersecurity best practices.

Reaching for conformance

Full compliance to a CIS Benchmark can be challenging, or may not be possible due to organizational policies. At his bank, Adam says they are implementing as many CIS Benchmark security controls as possible, but do not have a requirement for a particular compliance score. “Within the next three years, I plan on moving towards a 100% conformance rate with the controls we have implemented or do not have an exception documented for.”

For situations where organizational requirements are different from the recommendations of the CIS Benchmarks, it’s important to create documentation to define where these exceptions exist and why. Adam’s IT team at the bank documents exceptions thoroughly. This process helps them understand exactly which business processes would break or what the impact would be if a particular control were implemented.

Securing the future

There’s more to discover in CIS SecureSuite Membership, including Build Kits which can implement CIS Benchmarks quickly through GPOs or shell scripts. While adopting the CIS Build Kits is still new to Adam’s team, he foresees them embracing them going forward.

At the end of the day, Adam would highly recommend CIS SecureSuite “to anyone who needs a jump-start to get their security configuration project and to those with an established security configuration process already-in-place as this membership can also be used to verify already existing security configurations.” CIS SecureSuite Membership can provide security value and help implement configuration best practices for both new and experienced cybersecurity professionals.