Skip to content

Selecting CIS level benchmark

CIS benchmark levels

The benchmarks issued by CIS are typically divided into multiple categories. The categorization depends on the security requirements set. The requirements should and can be different depending on the organization's business. The security requirement categorization by CIS is done by assigning each security check/rule to a certain level of importance. The lowest level of necessity is level 1, and the highest level is level 3 where level 3 requirements are supposed to be fulfilled by institutions with the highest security standards. By default, Nanitor applies Level 1 checks to all its supported benchmarks.

Since Nanitor version 2.3 different benchmark levels can be selected for the supported benchmarks. The supported benchmark levels are Level 1, Level 2, and Bit Locker for the benchmarks where it can be applied. 

Applying a benchmark rule

In order to choose/select another benchmark security level you will need to create a benchmark rule. Nanitor allows you to apply different benchmark levels to different sets of assets within the same benchmark defined by a label assigned by Nanitor.

From the Nanitor administration section select Organization Management -> Settings and head over to the benchmark tab

For the benchmark where you want to select a different level of the CIS benchmark select Assignment Rule from the three-dot action menu.

This will bring up a window where you are able to define one or multiple rules that will be applied by Nanitor to the benchmark. You will see the default Level that is going to be applied by Nanitor. From the button below you can create a new rule for all or a subset of assets.

Now in the conditions, you can select a label if you want the rule to be only applied to a subset of assets or leave it blank to apply to all assets and select the profile that you want to be applied for your set of assets.

Once the rule has been created for the rule assignment you will see the list of rules that Nanitor will check on.

Nanitor will check the rules from top to bottom. Once Nanitor will find a match for an asset it will apply the defined rule. If no match is found Nanitor will apply the default Level (Level 1).

Changing the default applied benchmark level

If you want to change the desired benchmark level for all assets that are currently captured by Nanitor and those who will join in the future it is the best and easiest to change the default benchmark that will be applied by Nanitor. From the list of available benchmarks click on the Assignment rule from the benchmark action menu (3 dots).

Now click on Edit, select the benchmark level that you want to get applied, and press save. When finished successfully you will see that the previously selected benchmark level will now be set as default.

You can now close the dialog.

Troubleshooting

Attention

Once a different benchmark level has been selected to be applied either for the default level or on only for a subset of assets (by label) the level will not be recognized/visible in Nanitor before the asset checks into Nanitor. Therefore, a complete transfer to the new level of the benchmark might take up from a couple of hours to a couple of days depending on the frequency of the assets checking into Nanitor.