What is security compliance?
Updated: Mar 7, 2021
Enterprise IT systems are subject to laws and regulations about how they are set up and managed. This is particularly true in cases where IT systems store or handle sensitive data about customers, patients, or employees.
Security compliance, or cyber security compliance, refers to the IT security teams’ responsibility to ensure that all of the IT infrastructure and systems used to support the business remain compliant with external laws and any internal security protocols established by the organization.
Why is security compliance important?
Maintaining security compliance is critical to an organization for two main reasons.
First, organizations out of compliance with laws and regulations are subject to fines, legal action and damage to their public perception that can be expensive and detrimental to achieving objectives.
Second, enforcing secure compliance standards hardens critical IT systems and makes it more difficult for bad actors to exploit them for monetary gain, data theft, or malicious attacks on the organization.
This is why many organizations create their own internal security compliance standards based on best practices from industry security leaders—such as CIS—that augment and improve the external standards they are legally required to meet.
Continuous global cyber security compliance enforcement
According to a recent report from Tenable, 95% of organizations have faced organizational and technical roadblocks when trying to implement a compliance framework. In addition, 44% have automated fewer than 1/3 of the foundational controls. These challenges are due in large part to limited human resources, the size and complexity of digital IT environments, and the disconnect between security and IT workflows and priorities.
Compliance automation technologies allow IT operations teams to define the framework of a compliant environment with certified content from security leaders such as CIS, ensure all new systems are built in accordance with the framework, and detect deviations from the policy and correct them via automated runbooks
Who is CIS?
CIS, or the Center for Internet Security, is a non-profit organization that, since 2000, has worked to define a set of standard configurations that can serve as a secure baseline for technologies used in business and government IT.
CIS provides a series of tools—including Benchmarks and Controls—that help IT security professionals stitch together and simplify requirements across multiple frameworks and regulations. While CIS is the first to recognize that their resources do not cover every use case and there is still a need for other frameworks, the “spirit of the law” approach they take to mapping their content across industry frameworks has made them the standard for many organizations worldwide.
What are CIS Benchmarks and Controls?
CIS (the Center for Internet Security) harnesses the vast knowledge and experience of a global IT community to define and refine their security guidelines. Specifically, CIS Controls are a standardized set of 20 guidelines and related sub-controls that security teams can use to build a baseline security policy for their organization.
If we think of CIS Controls as the guideline for creating a best-practice security policy, then CIS Benchmarks are the specific recommendations for applying that policy to all of the technologies an organization is using. There are currently 140 CIS Benchmarks for specific technologies, including operating systems, middleware, software applications, and network devices.
How do IT security teams use frameworks from CIS, NIST and others?
IT security teams use frameworks from CIS, NIST, ISO, and others to build out foundational security compliance policies as well as enforce specific requirements on their IT infrastructure, operating systems, applications, and so on.
REDE Security and compliance solution provides certified CIS Benchmark scans and automated remediation's that can be easily applied across the organization’s entire environment. These Benchmarks also include cross references to frameworks from NIST, ISO, HIPAA, and others. This allows IT security teams to use the CIS Benchmark content to “kill multiple birds with one stone”. In other words, they can ensure they are meeting the requirements of multiple frameworks and regulations while only needing to enforce the CIS framework.