Center for Internet Security

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Center for Internet Security
Logo, Center for Internet Security.png
Center for Internet Security logo
Founded October, 2000
Founder William F. Pelgrin
Type 501(c)(3) not-for-profit organization
Legal status Active
  • East Greensbush, New York
Coordinates 42°36′44″N 73°41′58″W
Roughly 180
Key people

Board of Directors

Executive Committee


SANS Institute
Mission The mission of the Center for Internet Security is to enhance the security readiness and response of public and private sector entities, with a commitment to excellence through collaboration.

The Center for Internet Security (CIS) is a 501(c)(3) not-for-profit organization founded in October, 2000,[1] whose mission is to "enhance the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration." The company is located in East Greenbush, New York and is led by its President and CEO, William F. Pelgrin. It is composed of roughly 180 members from 17 different countries.[2] CIS strives to improve global internet security by creating and fostering a trustable and secure environment to bridge the public and private sectors. In addition, at the national and international level, CIS plays an important role in forming security policies and decisions. CIS has four divisions: the Central Intelligence Center, the Multi-State Information Sharing and Analysis Center (MS-ISAC), Security Benchmarks, and the Trusted Purchasing Alliance. Through these four divisions, the Center for Internet Security works with a wide range of entities, including those in academia, the government, and both the private sector and general public to increase their online security by providing them with products and services that improve security efficiency and effectiveness.[3]

Integrated Intelligence Center[edit]

The goal of the Integrated Intelligence Center (IIC) is to aid in the sharing of intelligence products and information between government and private sector entities. State, local, tribal, and territorial (SLTT) government partners use the IIC as a resource to report and collaborate with each other on cybersecurity issues in as timely a manner as possible. In order for the US Department of Homeland Security and the IIC to collect, analyze, and "ensure actionable information" [4] with their SLTT partners, they offer fusion centers, homeland security advisors, and law enforcement entities equipped with cybersecurity products to the companies they work with. In order to protect the online safety of these organizations, the IIC facilitates secure, "two-way sharing of information between and among similarly situated partners".[4] This sharing is pertinent to this industry because the industry is so heavily based on collaboration at all levels.

In addition to two-way sharing, the IIC provides its clients many other resources. Intelligence sharing allows SLTT governments to notify each other of cyber security "threats, trends, and problems" that they experience. Subject matter experts analyze cyber trends and intelligence in order to assist SLTT governments in both on-going ventures and "one-time events and assessments". Given by expert lecturers, monthly training sessions on evading cyber crime are provided to "fusion center analysts and other interested partners". Through these resources, the Integrated Intelligence Center aims to improve both the safety and awareness of cyber issues, as well as prepare its clients to quickly respond to and resolve cyber threats.[5]

Multi-State Information Sharing and Analysis Center[edit]

The Multi-State Information Sharing and Analysis Center is designated by the U.S. Department of Homeland Security as a key cyber security resource for the nation’s state, local, territorial, and tribal (SLTT) governments. The MS-ISAC 24x7 cyber security operations center issue's modern network monitoring, early cyber threat warnings and advisories, vulnerability identification and mitigation and incident response.[6]

According to, the main objectives of MS-ISAC include:[4]

  • provide two-way sharing of information and early warnings on cyber security threats
  • provide a process for gathering and disseminating information on cyber security incidents
  • promote awareness of the interdependencies between cyber and physical critical infrastructure as well as between and among the different sectors
  • coordinate training and awareness
  • ensure that all necessary parties are vested partners in this effort

The MS-ISAC has been growing since 2003. It started off as a small group of participating states in the Northeast; however, it now plays a national role and works with the U.S Government and the Department of Homeland Security as the Information Sharing and Analysis Center for SLTT governments. The growth of this center reached a vital point in its development which deemed changing its overall structure necessary. It needed to be transformed into an organization with a more central, “dedicated focus”—not just confined to one governmental group, but to solve the widespread problems faced by all SLTT government entities. Further, this change would better represent MS-ISAC’s new and larger breadth and roles in global internet security.[7] In 2010, MS-ISAC further advanced its development when the United States Government and the Department of Homeland Security acquired not-for-profit status through the Center of Internet Security. This provided MS-ISAC with the means to keep up with both its own needs and those of the SLTT governments and also to support and advance the national internet security mission of the Department of Homeland Security.

Security Benchmarks[edit]

The Security Benchmarks Division provides global standards for internet security. Through consensus, the CIS Security Benchmarks division provides frameworks to help organizations bolster their security. According to, resources include "secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications."[8]


The division's primary goal is for the widespread use of its benchmarks to increase and improve global internet security. CIS provides these benchmarks, and other useful internet security tools free to everyone at its website (making CIS very cost effective), The benchmarks and the other tools CIS provides at no cost allow IT workers to create reports that compares their system security to universal consensus standard. This fosters a new structure for internet security that everyone is accountable for that is shared by top executives, technology professionals and other internet users throughout the globe. Further, CIS provides internet security tools with a scoring feature that rates the security of the system at hand. This inherently encourages and motivates users to improve the scores given by the software, which bolsters the security of their internet and systems. The universal consensus standard that CIS employs is beneficial and powerful in that it draws upon and uses the accumulated knowledge of skillful technology professionals. Since internet security professionals volunteer in contributing to this consensus, this reduces costs for CIS and makes it cost effective.[9]

To develop and structure its benchmarks, CIS uses a strategy in which members of the organization first form into teams. These teams then each collect suggestions, advice, official work and recommendations from a few participating organizations. Then, the teams analyze their data and information to determine what the most vital configuration settings are that would improve internet system security the most in as many work settings as possible. Each member of a team constantly works with their teammates and critically analyzes and critiques a rough draft until a consensus forms among the team. Before the benchmark is released to the general public, they are available for download and testing among a widespread, yet selective group of people. After reviewing all of the feedback from testing and making any necessary adjustments or changes, the final benchmark and other relevant security tools are made available to the public for download through the CIS website. This process is so extensive and is so carefully executed that sometimes even thousands of security professionals throughout the globe participate in it. According to, "during the development of the CIS benchmark for Sun Microsystems Solaris, more than 2,500 users downloaded the benchmark and monitoring tools."[10]


The mission of the security benchmarks division is to use practice standards to improve the level of security and privacy on the Internet, and to establish integrity of the public and private sphere of Internet-based functions and transactions in which society heavily relies on.

The Security Benchmarks division is a collaboration of the Consensus Community and Security Benchmarks members. The Consensus Community is made up of experts in the field of IT security who use their knowledge and experience to help the global Internet community. Security Benchmarks members are made up of several different types of companies ranging in size, including government agencies, colleges and universities, nonprofits, IT auditors and consultants, security software vendors and other organizations. The collaborated efforts of the Consensus Community and Security Benchmarks members are essential to the CIS Security Benchmarks' success.


The CIS Security Benchmarks Division develops and distributes Security Configuration Benchmarks, Security Metrics, and The CIS-CAT Benchmark Assessment Tool. According to "Security Configuration Benchmarks describe consensus best practices for the secure configuration of target systems and are developed via extensive collaboration with our volunteer consensus community."[11] CIS Benchmarks are accepted as the worldwide standard for IT security technical controls and can be downloaded for free in PDF format. According to "Security Metrics offer enterprise IT and security teams insight into their own security process outcomes and are developed via extensive collaboration with our volunteer consensus community." These metrics can be downloaded for free by the public, which includes the CIS Quick Start Guide for Consensus Security Metrics. According to, "The CIS-CAT Benchmark Assessment Tool provides IT and security professionals with a fast, detailed assessment of target systems' conformance with CIS Benchmarks." The CIS-CAT is an important tool used for enterprises to analyze and monitor the secureness of information systems and the effectiveness of security controls and processes. The CIS-CAT is only available to CIS Security Benchmarks members.[12]

Trusted Purchasing Alliance[edit]

"The mission of the Trusted Purchasing Alliance (TPA) is to serve state, local, territorial and tribal governments and related not-for-profit entities in achieving a greater cyber security posture through trusted expert guidance and cost-effective procurement."[13] The intent of the TPA is to combine the purchasing power of governmental and nonprofit sectors to help participants improve their cyber security condition at a lower cost than they would have been able to attain on their own. In order to bring their partners cost-effective services, they work with private and public sectors. They assist with the "time intensive, costly, complex, and daunting" task of maintaining cyber security. The combined purchasing opportunities are checked out by domain experts.[4]

There are three main objectives of the Trusted Purchasing Alliance. The first is to contribute a trusted environment to improve the condition of the cyber security of the previously mentioned entities. The second is to help lower the cost of cyber security needs. The third is to work with companies to bring services and security products to their partners.[13]

Education and awareness resources[edit]

In order to assist organizations and individuals in their cyber security, the Center for Internet Security supplies its users many resources, such as daily emails with cyber safety tips and online guides and papers, as well as videos and podcasts. These can be found on the three division pages of the CIS; Security Benchmarks, Multi-State Information Sharing & Analysis Center, and the Trusted Purchasing Alliance.

The first division page is Security Benchmarks, a membership which offers objective and consensus-based date to aid organizations in their online security. The Security Benchmarks Division offers resources such as "automated configuration assessment tools and content, security metrics and security software product certifications", which are all recognized as "industry accepted system hardening standards" that organizations use to meet security requirements. In order to achieve its mission of establishing and promoting "the use of consensus-based best practice standards" to increase the security of internet-connected systems, it offers a Consensus Community (IT security subject matter experts who work to develop safer online environment, especially in a time when information sharing is so prevalent). Other resources include the Security Configuration Benchmarks, which describe safety practices for its members, Security Metrics, which offer organizations "insight into their own security process outcomes", and the CIS-CAT Benchmark Assessment Tool, which allows enterprises the tools to analyze and monitor the security of their online information systems and the effectiveness of their "internal security controls and processes". On their "Security Resources" page, both free resources, as well as ones accessible through membership, are available.[14]

The Multi-State Information Sharing & Analysis Center (MS-ISAC) aims to improve cyber security of "state, local, tribal and territorial governments".[11] Because collaboration and information sharing between these governments are critical to their success, their cyber security is of the utmost importance. The MS-ISAC facilitates cyber training and awareness, allows for two-way sharing of information between members and early detection on cyber security threats, and teaches of the intertwinings of cyber and physical infrastructure that are pertinent to online security. On their "Resources & Publications" page, the MS-ISAC provides multiple links, such as newsletters, cyber security guides and tool kits, and daily tips.

The Trusted Purchasing Alliance, like the MS-ISAC, serves governments of all kinds, as well as non-profits in achieving greater cyber security. On their "resources" page, multiple news letters and documents are available free of charge, including 'Cybersecurity Handbook for Cities and Counties" and "CSIS: Twenty Critical Security Controls for Effective Cyber Defense" (CIS CSC, aka CCS CSC).[15] With these resources, the TPA hopes to build partnerships between public and private sectors to increase collaboration that boost US nation's cyber security posture.

Participating organizations[edit]

The primary reason organizations throughout the world become members of and join the Center for Internet Security is they realize the importance of CIS and its missions and goals, so they strive to support it. By them giving yearly membership fees to the CIS, organizations understand and are happy that they are increasing global internet security for everyone. Further, by joining, they can take part in the creation of benchmarks.

The founding organizations and partners of the Center for Internet Security include the following: ISACA®, The American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (IIA), The International Information Systems Security Certification Consortium (ISC2) and The SANS Institute (System Administration, Networking and Security) . These organizations all helped form CIS in October, 2000. CIS has gone a long way and now currently has roughly 180 members from a total of 17 different countries. CIS cooperates and works with a variety of organizations and members at both the national and international levels. Some of these organizations include those in both the public and private sectors, government, ISACS and even law enforcement. [16]


  1. ^ Clint Kreitner; Bert Miuccio. "The Center for Internet Security: Global Security Benchmarks for Computers Connected to the Internet". Information Systems Audit and Control Association. Retrieved 2014-03-21. 
  2. ^ Casaretto, J. (2014, January 20). Center for Internet Security – 2014 Cybersecurity predictions. SiliconANGLE. Retrieved March 15, 2014, from
  3. ^ Center for Internet Security. (n.d.). Berkeley Security. Retrieved March 14, 2014, from
  4. ^ a b c d "Center for Internet Security." Center for Internet Security. Center for Internet Security, n.d. Web. 1 Mar. 2014.
  5. ^ Mavretich, R. (2012, October 18). Using the Center for Internet Security (CIS) Benchmarks to support an Information Security Management System. Retrieved March 12, 2014, from
  6. ^ "Welcome to the MS-ISAC." Center for Internet Security. N.p., n.d. Web. 10 Mar. 2014. <>
  7. ^ "Multi-State Information Sharing and Analysis Center". Center for Internet Security. Retrieved 2014-03-21. 
  8. ^ "Center for Internet Security." Center for Internet Security. Center for Internet Security, n.d. Web. 1 Mar. 2014. <>
  9. ^ Center for Internet Security Takes Leading Role in Industry Efforts to Enhance Security Automation. (2013, September 12). Center for Internet Security Takes Leading Role in Industry Efforts to Enhance Security Automation. Retrieved March 14, 2014, from
  10. ^ ISACA: Serving IT Governance Professionals. (n.d.). Information Technology. Retrieved March 7, 2014, from
  11. ^ a b Center for Internet Security. (n.d.). Center for Internet Security. Retrieved March 1, 2014, from
  12. ^ "About Security Benchmarks Division". Center for Internet Security. Retrieved 2014-03-21. 
  13. ^ a b Mission and Objectives. (n.d.). Mission and Objectives. Retrieved March 2, 2014, from
  14. ^ Center for Internet Security. (n.d.). Berkeley Security. Retrieved March 10, 2014, from
  15. ^ Welcome to the MS-ISAC. (n.d.). Center for Internet Security. Retrieved March 10, 2014, from
  16. ^ Miuccio, Bert , and Clint Kreitner . "ISACA: Serving IT Governance Professionals." The Center for Internet Security: Global Security Benchmarks for Computers Connected to the Internet. N.p., n.d. Web. 9 Mar. 2014. <>

External links[edit]