Compliance Policies are used by companies, organizations, or authorities to check whether all products, applications, operating systems and other components used meet certain specifications. The Center for Internet Security (CIS) provides so-called CIS benchmarks for this purpose. Since March 2021, the Greenbone solutions also offer the possibility to check the fulfillment of CIS Benchmarks – with the help of new compliance policies.
But what do we actually mean by a compliance policy?
In addition to legal requirements, companies, organizations and authorities often have their own requirements that must be met for the secure configuration of a system. Such requirements can be formulated, for example, by a software or application vendor for its own products, but also by IT security organizations.
The aim is to ensure the information and data security of a company or an authority by guaranteeing the confidentiality, integrity, availability and authenticity of information.
All specifications and guidelines, but also recommendations to be fulfilled for this purpose, are bundled in a policy in written form.
These guidelines form the basis for compliance policies developed by Greenbone, i.e., for the collection of tests that a Greenbone solution runs on a target system. A vulnerability test is developed for each individual requirement or recommendation to check compliance with that requirement or recommendation. All tests are combined to scan configurations by Greenbone and added to the Greenbone Security Feed.
Since the scan configurations in this case map company or authority guidelines, they are referred to as “compliance policies”.
Example: A company issues a policy with the following requirements:
- Version 2 of software A is installed on the target system
- SSH is enabled on the target system
- Software B is not installed on the target system
For each of the requirements, Greenbone develops a vulnerability test that queries whether the respective condition is met.
The three tests are then combined into a compliance policy that a user of Greenbone solutions can select for running a vulnerability scan. During the scan, it is then checked whether the conditions listed above are met on the target system.
CIS Benchmarks as decisive security guidelines
The Center for Internet Security (CIS) also publishes such security guidelines: the so-called CIS Benchmarks. CIS is a non-profit organization founded in 2000 to provide best practices for IT security that are used by governments, industry and academia.
One of the largest fields of activity of the organization is the so-called CIS Benchmarks. These are recommendations for handling and configuring numerous products from a wide range of product families. For example, there are CIS benchmarks for web browsers such as Mozilla Firefox or Google Chrome, for operating systems like Microsoft Windows or different Linux distributions, but also for the Microsoft Office products.
In contrast to many other security standards, which only make basic specifications regarding IT security – for example, that there must be vulnerability management – the CIS benchmarks are very detailed. They provide requirements that must be met in order to harden a system, i.e. make it more secure and protect it against attacks. Among other things, this can include criteria for passwords, but also the specification for a certain installed software version.
The CIS Benchmarks are provided by CIS free of charge as a PDF and are constantly being expanded. For CIS SecureSuite Members – just like Greenbone is since 2021 – the CIS Benchmarks are also available via the CIS Workbench in other formats, for example for Microsoft Word or Excel.
CIS-certified Compliance Policies at Greenbone
As with the security policies of other companies, organizations or authorities, Greenbone has now developed own compliance policies based on the CIS benchmarks. These enable users of a Greenbone solution to check their networks, systems and applications against the requirements from the CIS benchmarks. Since March 2021, several compliance policies that map CIS benchmarks are included in the Greenbone Security Feed.
And the special thing about it: the compliance policies developed by Greenbone are certified by CIS! This means that users can be sure that their system is tested according to the hardening recommendations of CIS.
Users can now check their systems to see whether the CIS requirements are met. This also simplifies the preparation of audits. Important criteria can already be checked in advance with a scan by a greenbone solution and any weaknesses found can be eliminated.
But these CIS certified compliance policies will not be the end of the story. Many more policies that map CIS Benchmarks are in the planning or even already in development at Greenbone.