What are CIS Benchmarks?

CIS Benchmarks are also known as Configuration Policy Benchmarks. They are developed by the Center for Internet Security (CIS), a non-for-profit organization that develops benchmarks that allow organizations to improve their security and compliance programs and posture. This initiative aims to create community developed security configuration baselines, or CIS Benchmarks, for IT and Security products that are commonly found throughout organizations. 

Benefits of CIS Benchmarks 

Security organizations looking to achieve CIS compliance by adhering to specific benchmarks can expect benefits like: 

  • Safeguarding systems against continuously evolving cyber threats
  • Improved cloud-environment security posture and threat response
  • Long-term C-Suite trust and budget allocation for the security organization
  • Increased customer confidence that comes from demonstrating self-adherence to industry-and-sector-specific benchmarks 
  • Faster remediation with benchmark-provided guidance when vulnerabilities are identified

With solutions from Rapid7 you can:

Check and report on your compliance to CIS benchmarks

Use InsightVM, Rapid7's vulnerability risk management solution, to easily and automatically check the settings on all the assets in your organization to determine their overall level of compliance to CIS benchmarks in one unified view.

InsightVM scans all of your assets for the overall level of compliance against CIS benchmarks and policies. You can use InsightVM to determine the overall level of compliance across the organization for each CIS benchmark that you are interested in via pre-built scan templates, or with the Custom Policy Builder capability. Custom Policy Builder enables you to create, modify, and augment common benchmarks like CIS based on the unique needs of your IT environment.

Ensure compliance in cloud environments

CIS offers benchmarks on best practices for the secure configuration of Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Kubernetes. When using cloud or Kubernetes services, security is a shared responsibility between the cloud service provider and the customer. You as the customer are responsible for configuring and using cloud services in a way that is secure, and the CIS benchmarks provide a framework for how to do this.

InsightCloudSec enables you to automate compliance with CIS benchmarks. InsightCloudSec provides dozens of out-of-the-box policies as part of our CIS compliances pack that map back to specific directives within CIS benchmarks. For example, InsightCloudSec’s policy “Encryption Key Not Supporting Key Rotation” supports compliance with the “Logging 2.8” directive in the CIS Amazon Web Services Benchmark. You can immediately use the CIS compliance packs to identify and remediate policy violations in real time.

Cloud Risk Complete from Rapid7 helps you reduce risk across all of your dynamic cloud environments. A practitioner-first approach built on consolidation, optimization, and automation, this all-in-one solution leverages continuous security and compliance to reduce workload risk – all without the need for added costs.