Why CIS is the Best Security Framework for MSPs
A couple of months ago I wrote about the importance of adopting a security framework to give structure and process to securing your practice. I went over several common frameworks and debated the pros and cons of each. In this article I am going to delve into the reasons why the Center for Internet Security (CIS) Frame work is the best for MSPs.
When we compared the NIST and ISO Frameworks to CIS, we discovered that NIST and ISO were somewhat loose and vague in regards to what controls needed to be implemented in order to be compliant. Both standards leave a lot of leeway for alternative approaches to meeting the standard of the control. While this flexibility may be desirable in some situations, it can be confusing and lead to lapses in security. On the other hand, CIS is very defined and prescriptive in terms of that actions are needed to meet the standard. CIS also offers clearly defined three levels of compliance, Implementation Groups 1, 2, and 3, based on the needs of the organization.
Implementation Group 1 covers basic cyber hygiene. All organizations should strive to achieve IG1 at the very least. And that may be enough for small business with no real exposure to sensitive data. Implementation Group 2 is most likely the appropriate level for most organizations and most MSPs. It provides an appropriate level of protection with a reasonable amount of financial investment. Those organizations that are custodian to very sensitive information or manage critical systems would likely want to achieve Implementation Group 3 status.
Perhaps the most difficult part of implementing a security framework is knowing where to start. To guide organizations through the process CIS has created the CIS Self-Assessment Tool (CSAT). By using the CSAT, MSP can quickly determine their current state in relation to the CIS Framework. They can then determine the gap between where they are today and the desired Implementation Group attainment. They can then use the tool to track their progress against the goal.
One of the fundamental tasks of any MSP is the deployment of new technology into their client's networks. This includes servers (cloud based or on-premises), workstations, switches, firewalls, wifi, Etc. Each of these devices introduces potential vulnerabilities if not configured properly. This is where CIS really sets itself apart from the rest of the security framework community. Through close collaboration with many hardware and software manufacturers, CIS has developed a series of Benchmarks that provide a clear guide on the configuration of hundreds of products. This includes Windows Operating Systems, Microsoft Azure Services, Mac OS, Palo Alto Firewalls, Cisco Switches, etc. For instance, if the MSP is deploying a Windows Server 2019, they can reference the Benchmark guide for Windows 2019 and configure all of the settings in compliance with CIS IG1, 2, or 3.
The Benchmark guides are extremely thorough and detailed. Many are more than 1000 pages in length. Although it would be possible to follow the guide and configure a system manually, it would be incredibly time consuming and laborious. For this reason, CIS has created Build Kits for most of the Benchmarks. Build kits automate the application of the configuration through scripts and group policy objects. This allows the MSP to apply the proper security to the device quickly, efficiently, and consistently.
Additionally, CIS has created the CIS CAT Pro Assessor Tool. CIS CAT Pro automates the comparison of a system's configuration against the corresponding Benchmark. It can also identify missing patches. The resulting report provides all of the changes required to bring the system back into compliance.
Access to the CIS Framework documentation and CSAT Tool is free of charge. However, the more advanced tool in the CIS Framework require membership in the CIS SecureSuite Program. The annual fee for membership in SecureSuite varies by company size. Academic, non-profit, and governmental agencies may be eligible for free subscriptions. MSPs looking to use the framework for commercial purposes and consulting services would pay an annual fee based on their annual revenue.
Given the highly prescriptive nature and clear definition of the standards the CIS Security Framework is the ideal framework for MSPs. Compliance is achieved through specific controls and those controls are enforced on deployed products in an automated and auditable fashion.
Additionally, CIS overlaps heavily with all of the other common frameworks and standards, therefore MSPs that have achieved CIS Implementation group 2 ensure their security standards are up to par with many of the regulatory requirements to which their clients are subject such as HIPAA, SOX, GLBA, Etc. Those MSPs that also pursue NIST or ISO certification are close to that goal as well due to the overlap and cross references between standards.
By implementing the CIS Security framework MSPs will increase their value, reduce their risk, and outshine the competition. What MSP wouldn’t want that?