The Center for Internet Security (CIS) has just released its second security "benchmark," a collection of best practices and security settings meant to ensure a "prudent level of minimum due care for operating system security."

CIS' new benchmark is for Windows 2000 operating systems, whereas its first benchmark, delivered in July, addresses Solaris. Both are available at the CIS Web site:

CIS is on to something. Its members represent diverse groups with a common interest - reducing the harm caused by insecure IT systems. It is an independent, nonprofit organization that, since it's founding just over a year ago, has produced tangible, effective tools that it makes available to anyone, at no charge.

CIS founders include two groups involved with IT auditing (The Information Systems Audit and Control Association and The Institute of Internal Auditors), two groups involved with computer security (The International Information Systems Security Certification Consortium and The SANS Institute) and one group, the Institute of Internal Auditors, involved with both auditing and security. Members include financial and insurance companies, government and law enforcement agencies, utilities, service and consulting organizations as well as individuals. Vendors whose products are the subject of CIS benchmarks cannot be members, although they can participate in an advisory capacity, says Clint Kreitner, CIS's president and CEO, and one of only two full-time staffers.

CIS models itself on other groups formed by organizations with a common interest. One such group is the Insurance Institute for Highway Safety, an independent, nonprofit organization founded by auto insurance companies. The Institute conducts many highly publicized studies, such as those that show which vehicles are prone to rollovers.

Although they've got financial interests at heart, insurance companies are just as interested as the general public in keeping highways safe. So it makes sense that much of the research that goes into determining what makes cars safer is conducted by this independent group.

Likewise, auditing and security groups are both concerned with risk assessment, which gets to the nub of what CIS is all about. It's hard to determine the relative risk of one organization suffering a cyberattack without knowing how well it is protecting itself relative to other, similar organizations. Coming up with benchmarks that define standards for duly secured operating systems makes the task more feasible.

At the same time, the benchmarks help IT organizations ensure their systems are properly secured.

In fact, Kreitner says the impetus for founding CIS was the need for detailed operational standards. While the International Standards Organization and other groups had standards that addressed security policy and procedures, such as what constitutes a good password policy, they did not have tools that checked to see whether what you had in place complied with your policy.

"Our tools check to see what you're actually doing," Kreitner says. The recently released Windows 2000 tool, for example, checks the Microsoft Web site for its list of latest patches and checks to see whether each is installed on your system, forwarding any that are missing.

Another important aspect of the CIS benchmarks is that they are designed to be run frequently. "Once-a-year auditing is less and less effective in a world that's moving at Internet speed," Kreitner says. "It's important to give organizations and auditors tools that allow constant monitoring of compliance with standards. You can run our Windows 2000 and Solaris tools every day if you want."

The benchmarks detail the various settings that should be in place to harden the system and how to make required changes. Also included is a scoring tool that rates the relative security of the system under test, pointing to areas that need improvement.

CIS creates these benchmarks by starting with existing published work for each operating system, then sending a draft to memers for review and comment. Once the comments are incorporated, a pre-release version goes out for further review before the final benchmark is published.

This procedure is similar to the way many standards bodies work, but the CIS seems to conduct the process at something approaching breakneck speed relative to other efforts. The group was founded in October 2000, published its first benchmark in July of this year and its second in November. Benchmarks for HP-UX, Linux, AIX, Cisco routers, Check Point FireWall-1 and VPN-1 will all be done within a year, Kreitner says.

"The long-term goal is to proliferate these standards and tools, so that they become the accepted norm," he says. That includes having vendors ship operating systems and other products with a CIS-approved level of security implemented out of the box.

"One of the banes of security is that vendors ship their products with security settings completely disabled," Kreitner says. "That's real handy to get the product up and running but there's been a study that shows once you connect a system to the Internet, it'll be scanned [by potential hackers] within about 300 seconds."

I look forward to the day when CIS benchmarks are as pervasive as seatbelts.

Desmond is a writer and editor based in Framingham, Mass. He serves as editor of, a source of practical security information for IT managers, CIOs and business executives. Email him at