Bookmark and Share

Testimonials

What Members Say About CIS

"Organizations like CIS—particularly those providing sound proscriptive guidance for deploying and operating complex technology—are the future of our industry. In an industry experiencing dizzying change, when experts and domain expertise are difficult to come by, CIS stands as a shining example of expert collaboration on the thorniest problems facing our industry."

- Frank Heidt
Chief Executive Office
Leviathan Security Group, Inc.

“The goal of any security and compliance initiative is to not only get systems into a secure state, but a state that balances the organization’s application needs against its security risks.  Because risk assessment for technical systems is extremely challenging and time consuming to implement, CIS provides an excellent starting point for risk assessment by enabling an organization to compare systems against a best practices standard for security.  And because CIS benchmarks are vetted by industry experts, you will meet the compliance requirement for “best practices” and security hardened systems when you base your compliance initiatives on these benchmarks.”

- Sean Sherman, CISSP, CISA, PMP, CPISM
Program Manager
Tripwire

(see Tripwire white paper at http://cisecurity.org/en-us/?route=downloads.casestudies)

“The CIS collaborative process results in products that are an order of magnitude better in scope and quality - with only a fraction of the funding of other standards groups. The operating model of CIS fosters effective interaction between government and industry, an essential element of our national cyber security strategy.”

-John Gilligan
Chairman
CIS Board of Directors

“Develop configuration standards for all system components.  Assure that these standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS)."

Item 2.2 - Payment Card Industry Standard (PCI DSS)

Back to Top

What Users Say about the CIS Benchmarks

“The Microsoft Windows 7 and Microsoft Windows Server 2008 benchmarks are additional examples of how CIS supports companies with adopting latest market ‘technology’ while maintaining a secure and robust environment. Having a sound foundation upon which to build a secure solution is absolutely critical and is a core requirement in the development process of airline solutions and product offerings from SITA.”

-Joe McGinley
Information Security Director
SITA

“Our search for configuration standards revealed the CIS Benchmark portfolio to be the only set of comprehensive configuration standards being expanded and kept up to date.  Other standards often referenced the CIS standards – they are the de facto standard for good configuration practice.”

 -Robert Hartwig
Information Systems Security Specialist
City of Las Cruces, New Mexico

"Customers in demanding verticals such as Capital Markets, Government, Telecommunications and Healthcare rely on Sybase to balance performance and usability with security requirements that are often non-negotiable.  Sybase continues to be committed to driving database innovation while maintaining the highest levels of security. We are pleased to collaborate with CIS in its security configuration benchmark and help the Sybase user group community maintain the integrity and privacy of mission critical data."

- Peter Thawley
Senior Director, Architect
CTO Group, WMO for Sybase

“Serious data breaches, reported on a near daily basis across all industry sectors, can cripple organizations. A cornerstone of an effective data security policy is ensuring that databases are configured to be as secure as possible.  Modern database systems offer a plethora of security options and configurations including access controls, comprehensive audit facilities and encryption. Security, however, is often wrongly disregarded as a performance hindrance and advanced options are misunderstood, misconfigured or simply not used.  The aim of this guide (the CIS benchmark for Sybase ASE), therefore, is to provide clear best practice advice for making use of all security features within Sybase ASE so that organizations can achieve a solid database security baseline."

- John Heasman,
VP of Research at NGSSoftware
Author of "The Database Hacker's Handbook"
Co-author of the second edition "ShellCoders Handbook"

“The CIS Benchmarks are considered a tremendous success. Many industry and governmental organizations have used the benchmarks as either an internal security standard or as a starting point for creating their own standards. Because they are freely available, independent (of vendor-only authorship), well-documented and easy to interpret, it is not hard to understand their popularity. And given the rise of security concerns, increased regulation and compliance issues, the CIS benchmarks have become a cornerstone for good system security.”

-Sean Sherman, CISSP, CISA, PMP, CPISM
Program Manager
Tripwire
(see Tripwire white paper at http://cisecurity.org/en-us/?route=downloads.casestudies)

Back to Top

What Users Say about the CIS Benchmark Audit Tools

"The CIS benchmark score provides instant feedback on the security of a Windows 2000 system. It is a clear, concise report that managers and auditors can use to rate their organization's system security. The benchmark document provides the system administrators with a clear set of action items that need to be performed to raise the level of security. It is a great tool!"

- Randy Marchany
Director of CIRT, Appliance & Network Defense Initiative
Virginia Tech

"I've always thought I did a pretty good job of securing my boxes. After running your tool, I've discovered that my systems are pretty tight (which makes me breath a sigh of relief), but there is still room for improvement. The benchmarks Tool pointed out several areas that I had overlooked."
- Jeffrey Isherwood
Senior Security Engineer, UNIX systems
Air Force Research Laboratory, Rome Research Site

Back to Top

What Users Say about the CIS Consensus Security Metrics

"This is a practical and immediately useful document which will enable the standardized establishment, tracking, and reporting of information security metrics throughout the industry. It kick-starts a move towards maturity in this area and lays the groundwork for benchmarking, which has been impossible to date. We look forward to future evolutions of this document, and observing and participating in the changes to strategy and tools design which will follow."

- Caroline Wong
Global Information Security (GIS) Chief of Staff & Manager, Strategy & Communications
eBay

"I have long believed that creating relevant metrics for information security effectiveness hings on measuring IT operations effectiveness. This project is driven by the audacious vision that by inventorying the state of IT practice, we will be able to show what practices prevent security breaches from occurring, and enable quick detection and recovery when they occur."

- Gene Kim
CTO
Tripwire

"In my opinion, metrics are a critical prerequisite for turning IT security into a science, as opposed to black art.  Metrics, managed correctly, foster the structure, repeatability, and rigor needed to provide decision makers with hard facts and data, as opposed to untestable hypotheses and unsubstantiated conjectures.  Security metrics is in its infancy and, in my opinion, has been stuck there for too long.  CIS marshaled all the ingredients for a breakthrough: consensus-making with leaders about what to measure and a capability to deliver valuable measurements. I am excited that CIS is stepping up with a concrete path moving forward."

- Elizabeth Nichols
CTO
PlexLogic

Back to Top