Center for Internet Security (CIS) Benchmarks are a series of guidelines developed to enhance an organization's security posture across various technology platforms, including those provided by Microsoft Office 365 (O365). These benchmarks, developed through a community-driven consensus process, cover a wide range of vendor product families and serve as a foundation for implementing a defense-in-depth strategy, ensuring services and products are secure by default.
Broad Categories and Alignment with O365
The CIS Benchmarks cover seven broad categories, each of which can be aligned with Office 365 security practices:
Operating Systems: For O365, ensure that all devices accessing the service are up-to-date with the latest security patches and configurations as recommended by CIS for the operating systems.
Cloud Infrastructure and Services: Directly applicable to O365, follow best practices for securing your cloud environment, including the use of secure access controls, encryption, and monitoring activities.
Server Software: While O365 is a cloud service, integration with on-premises servers for hybrid configurations must adhere to CIS recommendations for securing server-based applications.
Desktop Software: Secure all desktop applications accessing O365 by applying CIS benchmarks, ensuring software is regularly updated and follows best security practices.
Mobile Devices: Implement guidelines for securing mobile devices and their operating systems to protect access to O365 applications on-the-go.
Network Software: Secure network infrastructure that supports O365 access, including routers and switches, following CIS best practices.
Multi-Function Print Devices: Ensure that devices connected to O365 for printing or scanning are secured as per CIS recommendations to prevent unauthorized access.
Levels of CIS Benchmarks and O365
CIS Benchmarks are divided into two levels, each suitable for different security needs:
Level 1 Profile: Offers basic security recommendations. For O365, this could include implementing default security configurations provided by Microsoft, ensuring broad compatibility and minimal impact on usability.
Level 2 Profile: Provides more advanced security measures suitable for environments handling sensitive data. In O365, this may involve stricter access controls, advanced threat protection features, and comprehensive data loss prevention policies.
Benefits of Implementing CIS Benchmarks with O365
Adopting CIS Benchmarks for O365 can significantly enhance security, offering benefits such as:
Reduced Risk of Data Breaches: Strengthening O365 security configurations as per CIS recommendations can lower the likelihood of breaches and cyber-attacks.
Enhanced Security Posture: Aligning O365 practices with CIS benchmarks strengthens defense mechanisms against cyber threats.
Increased Customer Trust: Demonstrating a commitment to security can enhance customer satisfaction and trust.
Compliance with Regulations: Following CIS Benchmarks helps ensure adherence to legal and security standards, important for regulatory compliance.
CIS Controls vs. CIS Benchmarks for O365
While CIS Controls provide generic security guidelines, CIS Benchmarks offer specific recommendations, including settings and configurations for O365, ensuring detailed guidance for securing your cloud environment in alignment with broader security controls.
CIS Benchmark Gap Analysis and Remediation for O365
Our CIS Benchmark Gap Analysis Service will identify how your current O365 setup compares to CIS Benchmarks, highlighting gaps and providing actionable recommendations for improvement. Our Remediation Service assists in implementing these changes, ensuring your O365 environment aligns with CIS Benchmarks for optimal security.
