CIS Compliance vs. changing browser policies

CIS and browser policies

Most security professionals are familiar with controls and benchmarks from the Center for Internet Security, or CIS. CIS is a non-profit organization that leads a global community of IT professionals that work continuously to develop and evolve standards of cybersecurity. CIS Controls are comparatively high-level and are designed to deliver best practices in the areas that include asset management, access control, data protection, and incident response. 

CIS Benchmarks, on the other hand, detail exact configurations that should be used to harden systems against attack. These two important sets of recommendations can be seen as augmenting each other; CIS Controls describe overall best practices across systems, while CIS Benchmarks provide configuration recommendations for specific technologies.

• CIS Controls are directive and serve as a general framework to help organizations create a strong cybersecurity posture.
• CIS Benchmarks are prescriptive, detailing exactly which settings should be used to realize cybersecurity goals.

There are currently 18 different CIS controls, ordered from Basic to Foundational to Organizational. CIS Benchmarks, in contrast, number over 100 and cover over 25 different product families. In this blog, we will hone in on the benchmarks for browsers, focusing on those that apply to Google Chrome and Microsoft Edge, the two most popular browsers used in the enterprise.

Why do CIS Benchmarks for browsers matter?

Wondering about the relevance of browser policy benchmarks is tempting, as most are not actually mandatory. The reason is simple – today’s browser has evolved to become almost as sophisticated as an operating system, with far-reaching capabilities that can affect aspects of data security and privacy in unexpected ways. 

Another factor is that, while not often explicitly required, CIS browser benchmarks are globally recognized as a valuable part of complying with regulations that ARE mandatory. Some of these regulations include:

• Payment Card Industry Data Security Standard (PCI DSS) - global
• Children’s Online Privacy Protection Act (COPPA) – US
• Health Insurance Portability and Accountability Act (HIPAA) – US 
• Federal Information Security Management Act (FISMA) – US
• General Data Protection Regulation (GDPR) – EU
• Network and Information Security (NIS) Directive – EU
• Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
• General Data Protection Law (LGPD) – Brazil
• Personal Data Protection Act (PDPA) – Singapore

Compliance with CIS browser policy benchmarks is a vital part of overall security best practices because the browser is recognized as an area that can have a major impact (positive or negative) on industries that emphasize data protection/privacy and overall security. Such highly regulated industries include:

Financial Services

• Financial institutions, including banks, credit unions, investment firms, insurance companies, pension funds, mortgage lenders, payment processors/FinTech companies, savings & loan associations, and trust companies are all required to provide and demonstrate stringent data security and privacy controls.

Healthcare

• When most of us think of “healthcare,” what comes to mind is simply hospitals, doctors, and nurses. Still, the fact is that the actual industry covers far more, including dentists, chiropractors, and any other provider that might transmit health information electronically. That list includes health plans, both private insurance plans and those that are government-sponsored, such as Medicare and Medicaid. This classification also includes business associates such as IT services, billing services, consultants, law firms, accounting firms, managed service providers, and Electronic Healthcare Record (EHR) vendors, as well as all subcontractors of any of these associated businesses.

Government

• This “vertical” includes all federal agencies and organizations operating at the state, territory, or local level. Additional strictures may apply if the entity handles classified or sensitive records as well.

Critical Infrastructure

• This classification encompasses a wide variety of services and facilities deemed essential to the functioning of society. It includes every facet of industries, including energy, transportation, telecommunications, water, agriculture/food, healthcare, emergency services, government, and chemical/industrial.

Technology

• This broad category includes companies that deal with customer data in any form.

Education

• This classification includes any institution that handles student data, from primary/K-12 to universities.

One of the most important things to notice in this list is that many organizations fall into more than one category. For example, a state university teaching hospital could be considered to belong to all of these classifications. This serves to highlight the fact that these industries and services are interconnected and often interconnected and interdependent. That means that policies that broaden the attack surface or defeat data privacy in one area can affect all of the others.

How do companies stay in compliance?

One of the most challenging aspects of remaining compliant with browser settings is the sheer volume of policies to consider. Version 3.0 of the CIS Benchmark for Google Chrome alone is over three hundred pages long, and most enterprises use both Google Chrome and Microsoft Edge. CIS tries to update these benchmarks at least once a year to address new vulnerabilities, industry trends, and clarification. 

But another concern is that while it might be possible to manually audit browser policies once a year – twice if the enterprise uses both Chrome and Edge – the browsers themselves change far more frequently. Google Chrome is updated every 4-6 weeks, depending upon conditions; Microsoft Edge follows a similar update cadence.

To complicate matters further, most enterprises do not have security resources that can be dedicated to managing these rapidly evolving apps. While there is not a published number showing how many companies rely upon CIS Benchmarks as a guideline, their widespread use and acceptance as part of proving compliance shows that these benchmarks are widely utilized. So, how do these organizations do it?

Automate browser compliance, with benchmarks from experts and simplicity from Menlo

Like most areas of technology, the best method of staying current without dedicated staff is to automate the process, and the best vendors to rely upon are those that have been singularly focused on the browser. At the same time, however, it is vital to realize that each enterprise – and even specific groups within each enterprise – has unique needs and requirements. So, any automation must also feature flexibility, allowing granular policy options that are made by the companies themselves.

Menlo Security delivers with Menlo Browser Posture Manager. With Menlo, the process of ensuring that the enterprise browser is compliant with changing benchmarks even as the apps themselves change is finally something that mere mortals can accomplish.

With Browser Posture Manager, the process is simple. Once the admin uploads the browser configuration file (an easy process that is outlined in the product itself), they are automatically presented with a list of how their current policies compare to the selected benchmark in near real time. Note that it is possible to have different policy sets by user groups, making it possible to deliver secure policies that are custom-tailored to your users.

Change values that conflict with benchmark recommendations

The list is ordered by severity, beginning with policies that directly conflict with the benchmark. These policies are those that can have the most direct influence on overall security, but you’ll notice that Menlo does not make the choice for the admin. That’s because, although this setting can have repercussions that make it unsuitable for most users, it is also possible that there are user groups for whom this behavior is appropriate. 

Set missing policy items that have unsecure default behavior

The default setting in many systems is to “fail closed,” meaning that if unset, the system will revert to a “safe” state. Unfortunately, this is not the case when considering the rapidly changing capabilities in Chrome or Edge. With these browsers, new features are typically enabled by default, and because of the pace of these changes, admins may not always be aware of them. 

Values for all policy items to prevent unsecure user choices

In some cases, the new or default policy may align with the enterprise security stance, so it’s tempting to believe these policies do not need to be examined. This supposition is incorrect. That’s because many policies, rather than being a simple “yes” or “no” proposition, contain the option to let the end user decide for themselves. To ensure security and data privacy, it is often necessary to lock down such policies.

Compliant or no recommendation

These policies are still called out, even if the current choices are compliant with the benchmark.

Once the choices have been made, the configurations are archived, further simplifying the process of maintaining compliance.

Safe, secure, and now simple

Menlo Security has been securing enterprise browsers for over a decade. Together with the expertise of CIS and other upcoming benchmarks, staying compliant while protecting enterprise security and defending data privacy is finally attainable for all organizations, regardless of staff size.

Find out more about Menlo Security Browser Posture Manager here.