Controls and Benchmarks: Necessary Evils

TLDR: Controls and benchmarks, while appearing to be cumbersome to some, are necessary evils in today's IT environment.

Figure 1 - CIS Controls

Benchmark, as it relates to computer systems, is defined as, "a standardized problem or test that serves as a basis for evaluation or comparison." In the world of information technology, there are various benchmarks available. You can test your office computer to see if it can efficiently run various administrative programs. Or, perhaps, you would like to see where your newest gaming computer ranks among other testers. The most important benchmarks, in my opinion, are those developed by the Center for Internet Security (CIS).The overall mission of CIS is to make the information technology world better for everyone; governments, schools, municipalities, businesses, individuals, etc. They do this by providing controls and benchmarks. The easiest way to visualize these is control = policy and benchmark = evaluation.

20 controls have been developed by CIS based on real-world attacks and defenses which have worked effectively against those attacks. You can look at controls as after-action items that have feasible solutions. They are broken down into three categories: basic, foundational, and organizational (Figure 1).

An example of a control is the basic control of Inventory and Control of Hardware Assets; the first control listed. Under this control, the organization should do several things regarding devices. Among these are: utilize an active discovery tool (identify security function), address unauthorized assets (respond security function), and deploy port-level access control (protect security function). The CIS provides guidance on what these controls are for but leaves it up to the organization to determine how to properly implement them.

Figure 2 - An Ubuntu Benchmark Setp

Benchmarks are not controls; however, they are closely related. While the controls provide guidance on what an organization should be doing to protect its information technology assets, the benchmark provides direction on how to secure assets. For instance, CIS provides a benchmark for securing systems running Ubuntu Linux 18.04 LTS (Figure 2). Following through the benchmark allows the organization to implement know best practices for assets. Again, these are based on information gathered from attacks and what has effectively worked well against such attacks.

Controls and benchmarks are necessary evils in today's information technology-driven world. An organization utilizing controls and benchmarks, best practices to secure information systems, stands a much better chance of thwarting off an attack than one which does not. Controls are the mechanisms by which an organization can implement policies to protect assets and the benchmarks are there to make sure those assets are secure.