Center for Internet Security Takes Leading Role in Industry Efforts to Enhance Security Automation

CIS is helping to foster open and trusted collaboration to further the development of international standards for security automation

EAST GREENBUSH, N.Y.--()--The Center for Internet Security (CIS), announces today its commitment to serving as a trusted resource and leader in the efforts to increase the availability of open standards-based security automation specifications and content to the international community. Through its work within the Internet Engineering Task Force (IETF), contributions to the Cybersecurity Framework development effort, participation on the Open Vulnerability and Assessment Language (OVAL) Board, and strong support of the Twenty Critical Security Controls for Effective Cyber Defense, CIS is helping to develop and promote the tools for international organizations to make rapid and continual improvements to their cyber security through security automation.

Adam Montville of CIS was recently named co-chair of the IETF’s new Security Automation and Continuous Monitoring (SACM) Working Group. Montville, along with SACM’s voluntary community of security experts, will work to develop a roadmap for establishing and extending existing security automation specifications as international standards. Through its role in SACM, CIS is helping to lead the effort to increase contribution to and adoption of security automation standards by organizations around the globe, for the collective benefit of all.

CIS is also providing input to the Cybersecurity Framework, an effort led by the National Institute of Standards and Technology (NIST) as called for by President Obama in an Executive Order issued earlier this year. The goal is to establish, through working directly with critical infrastructure entities and other stakeholders, a voluntary cyber security framework that leverages existing industry best practice security standards and guidelines, and is applicable to all critical infrastructure sectors. CIS is participating in the Framework Workshop this week in Dallas to provide input to the draft Framework, which will be released in February 2014.

“We look forward to continuing to work with the global security community,” said Rick Comeau Executive Director of the CIS Security Benchmarks program. “It is through these mutually supporting efforts, along with our vital partnerships with similarly committed organizations in industry, government and academia, that CIS intends to help realize the true potential of security automation.”

Additionally, CIS developed new schema enhancements to OVAL, an international standard language for open and publicly available security content. CIS presented the schema enhancements to the OVAL community during the recent MITRE OVAL Developer Days conference. The enhancements will reduce the complexity that currently exists in collecting and assessing configuration information stored using states of INI files (structured text files used to store application settings). CIS and SecPod Technologies developed the schemas for inclusion in the next version of OVAL (5.11), expected to be released later this year.

Security content automation is gaining momentum as organizations require faster, more cost-effective and highly scalable mechanisms to defend against the ever-changing cyber threat landscape, and standardized solutions for implementing controls and assessing their effectiveness. The quantity of open standards-based security automation content available today is far below what is needed to keep pace with the continual emergence of new and increasingly complex technologies, particularly for open-source platforms and applications, as well as more sector-specific systems. Automatable content that is based on industry-accepted security standards is the key to performing rapid, repeatable and comparable assessments.

Security automation is a key element in the implementation of the Twenty Critical Security Controls for Effective Cyber Defense, an industry best practice guideline now coordinated through the Council on Cybersecurity. The CIS configuration security Benchmarks, considered by many security practitioners worldwide as essential technical controls for hardening the most commonly used IT systems and technologies, can also help organizations accomplish the security objectives recommended in the Controls. The CIS Benchmarks provide specific recommendations that directly support implementation of nearly two-thirds of the Controls. A matrix that maps those CIS Benchmarks to the Critical Controls is freely available online.

For more information about the resources available through the CIS Security Benchmarks program, visit CIS at: http://benchmarks.cisecurity.org

About the Center for Internet Security

The Center for Internet Security (CIS) is a 501c3 nonprofit organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. CIS produces consensus-based, best practice secure configuration benchmarks and security automation content, and serves as the key cyber security resource for state, local, territorial and tribal governments, including chief information security officers, homeland security advisors and fusion centers. CIS provides products and resources that help partners achieve security goals through expert guidance and cost-effective solutions. To learn more please visit cisecurity.org or follow us at @CISecurity

Contacts

The Center for Internet Security
Krista Montie, 518-266-3460
Krista.montie@cisecurity.org
or
PR Director - Overit
Liz Grimes, 518-465-8829 x 213
Liz@overit.com

Release Summary

The Center for Internet Security is taking a leading role in the security automation efforts, helping to bring implementable standards to a broader, international audience.

Contacts

The Center for Internet Security
Krista Montie, 518-266-3460
Krista.montie@cisecurity.org
or
PR Director - Overit
Liz Grimes, 518-465-8829 x 213
Liz@overit.com