The same goes for AWS, GCP, and Microsoft Azure. Running the popular web and reverse proxy server NGINX? CIS has a benchmark for that, but you’ll need to read into and apply the generic DISA Security Requirements Guide (SRG) for web servers(zip). There certainly are differences, however. Operating systems and Applications Coverageįor some, it may be a surprise to learn that there are also baselines for applications as well as operating systems. Both STIG and CIS offer coverage for modern operating systems like Red Hat Enterprise Linux, CentOS, Ubuntu, Amazon Linux, Microsoft Windows Server 20, as well as desktop platforms such as Windows 10 and MacOS. They also address popular infrastructure software and platforms, including Cisco and VMware, and key infrastructure service layer components such as Active Directory, Apache httpd, IIS, and BIND. It should come as no surprise that CIS baselines are more common in commercial organizations, but in fact, they’re also used in many US Government civilian agencies. They are also heavily peer-reviewed, and member vendors participate in the CIS control creation and validation process. Many commercial and even foreign governments rely on STIG guidance because of the inherent trust and respect they have for the STIG’s heavily researched and reviewed guidance. It’s important to note that STIGs often are defined with significant input from the vendors. They also include specific US Government-mandated language for things like login prompts, etc. Just because STIGs are usually targeted to the government doesn’t mean that they can’t be used by the private sector as well. Read the contents, and you’ll see that for documents are littered with callouts to the Defense Information Systems Agency (DISA) and other US Government agencies. STIGs tend to slant toward US Government requirements. Quick recap: STIG and CIS are the two primary third-party baselines adopted across public and private organizations. Even when you’re required to adhere to an industry standard ( NIST 800-53, CMMC, PCI, HIPAA, etc.), using a baseline like STIG or CIS is a great starting point.įirst the good news: they’re both similar, and for good reason-there are only so many ways to configure a system for security. Previously, we discuss the anatomy of a baseline and gave a first introduction to free Lockdown Enterprise content. We’re unpacking the differences between the Center for Internet Security’s CIS Benchmarks and the US Department of Defense Systems Agency (DISA) Security Technical Implementation Guides (STIG).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |