ITaP Security and Policy is often asked to recommend a set of systems security configuration guidelines that can be consulted by Purdue System Administrators in the absence of specific, Purdue University guidelines. While there are a number of commercial or external benchmark tools and guidelines available to system administrators to provide best practice standards for security configuration, ITaP Security and Policy recommends the use of benchmarks created by the Center for Internet Security (CIS).
The Center for Internet Security (CIS) helps organizations reduce risks incurred from the use of inadequate technical security controls. CIS distributes consensus best practice benchmarks for security configuration. These benchmarks are unique because they are created by consensus by hundreds of security professionals worldwide. The benchmarks are widely accepted by U.S. government agencies for FISMA compliance, and by auditors for compliance with the ISO standard as well as the Gramm-Leach Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), HIPAA, FERPA, and other information security regulatory requirements. CIS offers the benchmarks and scoring tools for free from their website.
Purdue University is a member of the CIS, and as such has the right to distribute the benchmarks and tools for use within Purdue University. ITaP Security and Policy recommends the CIS benchmarks for consultation and use by Purdue University System Administrators when no other specific Purdue University policy, standard, guideline, or procedure applies to the underlying system.
Any number of Purdue University employees may obtain a user account on the CIS Members Site. To register, go to http://community.cisecurity.org/ and click the "register" link. (this page is also accessible via link from home page of the public web site http://www.cisecurity.org). Complete and submit the registration information. Within 24 hours you will receive an email indicating that your registration has been activated. Then you can enter the site using the username and password you selected.
All the CIS Benchmarks, and several software Scoring Tools that can be used to compare the configuration of Purdue systems to the benchmarks, are distributed from the CIS Public Web site at http://www.cisecurity.org. There is no need to register for access to that site. On the Members Web Site Purdue employees have access to CIS Scoring Tools with specialized features, including:
The CIS Members Web Site also contains various discussion forums and development versions of new Benchmarks and Scoring Tools. Please note that ITaP Security and Policy does not support the tools and benchmarks available from CIS.
To read more about the benchmarks, please visit: http://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks