Finally…real security standards

CIS's new security standards aren't just general recommendations--they're actually usable, says Wayne Rash. Plus, the compliance tools are free. Now that's good news for everyone.
Written by Wayne Rash, Contributor
Last week's announcement by the Center for Internet Security that it was releasing its long-awaited security standards is good news for everyone. Everyone, that is, except the Forces of Evil, in the form of hackers, virus writers, and worm purveyors.

It's good news because CIS has done more than simply make general recommendations, or even just standards. Instead, CIS has developed standards you can actually use, and tools that you can use to test your own compliance.

CIS is an unusual group, to say the least. Its founding members consist of government agencies ranging from the Department of Defense, the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST), to corporations such as Visa International, Intel, and PG&E. CIS's core mission is to address security problems that member consensus deems most critical, to create standards that address those problems, and to create benchmarks that test whether the security of Internet-attached devices is up to snuff.

To develop its standards, CIS started with existing standards from sources including the British government, the Internet Engineering Task Force, and NIST. CIS studied everything from the Top Ten Internet Security Threats list to recommendations from NSA and the SANS Institute. CIS members, as well as security vendors and potential users, chose the material by consensus.

Task list and testing tool

The result has been a collection of best practices for security, the security benchmarks, and a certification process for consultants, auditors, and software companies as well as users. Remarkably, the benchmarks created by CIS are available for free, for anyone who wants to use them.

When you download the benchmark suite from the CIS Web site, you get two things. The first is a list of tasks required to improve your security that isn't supposed to create problems for mission-critical applications. The second item is an automated testing tool that scans your network for security problems, and includes a scoring tool with metrics for relative security levels for your systems.

According to CIS, this testing tool should be run routinely to adequately monitor how secure your network is. That way, if you change something (or if someone else does), you'll know the security impact. Together, the testing and the task list should help you decide what you need to do about security and, more important, give you an unbiased means of getting the support and funding for needed improvements.

In one sense, one of the best things about the CIS is its independence. The organization is beholden only to its members. This means that you don't need to worry whether the group is trying to sell you consulting services or security products.

You'll know that the information is from an impartial and highly qualified source. When you ask for funding, show the extensive membership list to the CFO--then emphasize that all this expertise was free. But joining CIS and having a say might not be a bad thing either.

How has your organization used CIS standards to improve security? TalkBack below or e-mail us with your thoughts.

Editorial standards