1. /
  2. Security Response/
  3. Symantec Control Compliance Suite

Security Updates

Security Updates give you the most recent protection content for your Symantec security products.

Symantec Control Compliance Suite

Regulations, Frameworks, and Standards

12 June 2015

Symantec™ Control Compliance Suite Regulations, Frameworks, and Standards


The following government regulations and best practice frameworks are supported in Control Compliance Suite (CCS).

Note: All regulations and best practice frameworks are supported in CCS 11.0 unless specified otherwise.

Regulations are published government mandates such as HIPAA, Sarbanes-Oxley, or GLBA. These regulations describe the business functions and security functions that must be performed,

Frameworks are published best practices such as COBIT, COSO, and the ISO series. These frameworks provide implementation guidance to help organizations to set up and assess the Risk Management and Governance and compliance programs.

A standard is a hierarchical organizational structure of sections and checks. Control Compliance Suite makes available a set of predefined standards that are installed along with the product. These standards are mostly derived from some published guidelines by established organizations such as CIS or NIST.

Legends:

Out of box Mandate compliance reports: Displays Yes if the title is mapped to Technical Controls and Platforms in CCS

Assessment Questionnaires: Displays Yes if the title is mapped to Procedural Controls Questionnaire in CCS

 

Regulations and Statutes

 

Regulations

CCS Support

Title

Source

Region

Out of box Mandate compliance reports

Assessment Questionnaires

Comments

ARRA-HITECH Guidance from the Department of Health and Human Services

US Congress

North America

Yes

Yes

 

Australian Government Information Security Manual (AUS-ISM)

Australian Government - Department of Defense

Australia

Yes

Yes

 

FCC 47 CFR Part 64 Subpart U - Customer Proprietary Network Information (CPNI)

US  Federal Communications Commission (FCC)

North America

Yes

Yes

 

FDA 21 CFR Part 11 - Electronic Records; Electronic Signatures

US Food and Drug Administration

North America

Yes

Yes

 

FDA 21 CFR Part 820 - Quality System Regulation

US Food and Drug Administration

North America

Yes

Yes

 

FISMA

US Congress

North America

Yes

Yes

 

FISMA using NIST SP 800-53 rev1

National Institute of Standards and Technology

Global

No

Yes

 

NIST SP 800-53 based on FISMA

National Institute of Standards and Technology

Global

 No

Yes

 

GLBA CFTC 17 CFR Sec. 160.30 - Procedures to safeguard customer records and information.

US Federal Trade Commission

North America

Yes

Yes

 

GLBA FDIC 12 CFR Part 364 App. B - Interagency Guidelines Establishing Information Security Standards

US Federal Trade Commission

North America

Yes

Yes

 

GLBA FRB 12 CFR Part 208 App. D-2 - Interagency Guidelines Establishing Information Security Standards

US Federal Trade Commission

North America

Yes

Yes

 

GLBA FRB 12 CFR Part 225 App. F - Interagency Guidelines Establishing Information Security Standards

US Federal Trade Commission

North America

Yes

Yes

 

GLBA FTC 16 CFR Part 314 - Standards for Safeguarding Customer Information

US Federal Trade Commission

North America

Yes

Yes

 

GLBA NCUA 12 CFR Part 748 App. A and App. B - Guidelines for Safeguarding Member Information and Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice

US Federal Trade Commission

North America

Yes

Yes

 

GLBA OCC 12 CFR Part 30 App. B - Interagency Guidelines Establishing Information Security Standards

US Federal Trade Commission

North America

Yes

Yes

 

GLBA OTS 12 CFR Part 570 App. B - Interagency Guidelines Establishing Information Security Standards

US Federal Trade Commission

North America

Yes

Yes

 

GLBA SEC 17 CFR Sec. 248.30 - Procedures to safeguard customer records and information; disposal of consumer report information.

US Federal Trade Commission

North America

Yes

Yes

 

Interagency Guidelines Establishing Information Security Standards

 US Federal Reserve

North America

  No

Yes

 

OTS Small-Entity Compliance Guide

US Securities and Exchange Commission

North America

  No

Yes

 

HIPAA 45 CFR Part 164 - Security Rule

US Congress

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - FDIC

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - FRB (Board)

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - FTC

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - NCUA

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - OCC

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - OTS

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Massachusetts: 201 CMR 17.00 - Standards for The Protection of Personal Information of Residents of the Commonwealth

US - Commonwealth of Massachusetts

North America

Yes

Yes

 

Sarbanes-Oxley - The Sarbanes-Oxley Act of 2002 (SOX)

US Congress

North America

Yes

Yes

 

UK: Data Protection Act 1998

UK Parliament

Europe

Yes

Yes

 

China - The Basic Standard for Enterprise Internal Control and Supplemental Guidelines

 China -Ministry of Finance.

China

Yes

Yes

Added in SCU 2012-4

US State Privacy Statutes

Alaska - Sec. 45.48.010 et seq. Disclosure of breach of security

US Statute

North America

 Yes

 No

 

Arizona - 44-7501. Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions

US Statute

North America

Yes

No

 

Arkansas - A.C.A. § 4-110-101 et seq. Personal Information Protection Act

US Statute

North America

Yes

No

 

California - Civil Code §§ 1798.29, 1798.82

US Statute

North America

Yes

No

 

Colorado - Rev. Stat. § 6-1-716 Notification of security breach

US Statute

North America

Yes

No

 

Connecticut - Sec. 36a-701b. Breach of security re computerized data containing personal information. Disclosure of breach. Delay for criminal investigation. Means of notice. Unfair trade practice.

US Statute

North America

Yes

No

 

Delaware - § 12B-101 et seq.

US Statute

North America

Yes

No

 

District of Columbia - DC ST § 28-3851 et seq.

US Statute

North America

Yes

No

 

Florida - 817.5681  Breach of security concerning confidential personal information in third-party possession; administrative penalties.--

US Statute

North America

Yes

No

 

Hawaii - § 487N-2  Notice of security breach.

US Statute

North America

Yes

No

 

Illinois - 815 ILCS 530/1 Personal Information Protection Act

US Statute

North America

Yes

No

 

Indiana - IC 24-4.9 et seq. Disclosure of Security Breach, IC 4-1-11et seq. Notice of Security Breach

US Statute

North America

Yes

No

 

Kansas - Stat. 50-7a01, 50-7a02 Protection of Consumer Information

US Statute

North America

Yes

No

 

Lousiana - RS 51:3071 et.seq. Database Security Breach Notification Law

US Statute

North America

Yes

No

 

Maine - Chapter 210-B: the Notice of Risk to Personal Data Act

US Statute

North America

Yes

No

 

Michigan -  § 445.72 Notice of security breach; requirements.

US Statute

North America

Yes

No

 

Minnesota - 325E.61 DATA WAREHOUSES; NOTICE REQUIRED FOR CERTAIN DISCLOSURES.

US Statute

North America

Yes

No

 

Missouri - § 407.1500

US Statute

North America

Yes

No

 

Montana - 30-14-1704 Computer security breach

US Statute

North America

Yes

No

 

Montana - H.B. 155, Chapter 163

US Statute

North America

Yes

No

 

Nebraska - § 87-801 et seq. Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006

US Statute

North America

Yes

No

 

Nevada - CHAPTER 603A SECURITY OF PERSONAL INFORMATION

US Statute

North America

Yes

No

 

New Hampshire - Sec. 359-C:19 et seq. Notice of Security Breach

US Statute

North America

Yes

No

 

New Jersey - 56:8-161 et seq.

US Statute

North America

Yes

No

 

New York - N.Y. General Business Law 899-aa

US Statute

North America

Yes

No

 

North Dakota - CHAPTER 51-30 NOTICE OF SECURITY BREACH FOR PERSONAL INFORMATION

US Statute

North America

Yes

No

 

Ohio - § 1349.19 Private disclosure of security breach of computerized personal information data.

US Statute

North America

Yes

No

 

Oregon - Sec. 646A.604 Notice of breach of security; delay; methods of notification; contents of notice; application of notice requirement

US Statute

North America

Yes

No

 

Pennsylvania - Chapter 43 - Breach of Personal Information Notification Act

US Statute

North America

Yes

No

 

Rhode Island - 11-49.2-1 et seq. Rhode Island Identity Theft Protection Act of 2005

US Statute

North America

Yes

No

 

South Carolina - § 39-1-90 Breach of security of business data; notification; definitions; penalties; exception as to certain banks and financial institutions; notice to Consumer Protection Division.

US Statute

North America

Yes

No

 

Tennessee - 47-18-2107. Release of personal consumer information

US Statute

North America

Yes

No

 

Texas - Sec. 521.053 NOTIFICATION REQUIRED FOLLOWING BREACH OF SECURITY OF COMPUTERIZED DATA

US Statute

North America

Yes

No

 

Utah - Sec. 13-44-101 et seq. Protection of Personal Information Act

US Statute

North America

Yes

No

 

Vermont - § 2435 Security Breach Notice Act

US Statute

North America

Yes

No

 

Washington - RCW 19.255.010 - Disclosure, notice - Definitions - Rights, remedies

US Statute

North America

Yes

No

 

Wisconsin - 134-98 Notice of unauthorized acquisition of personal information

US Statute

North America

Yes

No

 

 

Best Practice Frameworks and Standards

 

Best Practice Frameworks and Standards

CCS Support

Title

Source

Region

Out of box Mandate compliance reports

Assessment Questionnaires

Comments

AICPA Trust Services Principles and Criteria- SAS 70 / SSAE 16  (AT section 101 - SOC 2 and SOC 3)

American Institute of Certified Public Accountants

North America

Yes

Yes

 

Basel Committee - Sound Practices for the Management and Supervision of Operational Risk

Bank for International Settlements

Global

Yes

Yes

 

California: Recommended Practices on Notice of Security Breach Involving Personal Information (2007)

US - State Law

North America

Yes

No

 

California: Recommended Practices on Notice of Security Breach Involving Personal Information (2008)

US - State Law

North America

Yes

No

 

CMS Information Security ARS – Appendix A – CMSR High Impact Level Data

Centre for Medicare & Medicaid Services  

North America

Yes

Yes

 

CobiT 3rd Edition

ISACA/ITGI

Global

Yes

No

 

CobiT 4.0

ISACA/ITGI

Global

Yes

Yes

 

CobiT 4.1

ISACA/ITGI

Global

Yes

Yes

 

COSO Enterprise Risk Management - Integrated Framework

American Institute of Certified Public Accountants

North America

Yes

Yes

 

CSA Cloud Controls Matrix v1.1 (CSM)

The Cloud Security Alliance

Global

Yes

No

 

DISA STIG - Access Control  In Support Of Information Systems

US Defense Information Systems Agency

North America

Yes

Yes

 

FIEL Guidance for J-SOX for IT

Financial Services Agency, The Japanese Government

Japan

Yes

Yes

 

ISO/IEC 31000:2009

International Organization for Standardization (ISO)

Global

Yes

Yes

 

ISO/IEC 20000-1:2005

International Organization for Standardization (ISO)

Global

Yes

Yes

 

ISO/IEC 20000-2:2005

International Organization for Standardization (ISO)

Global

Yes

Yes

 

ISO/IEC 27001:2005

International Organization for Standardization (ISO)

Global

Yes

Yes

 

ISO/IEC 27002:2005

International Organization for Standardization (ISO)

Global

Yes

Yes

 

ISO/IEC 27005:2008

International Organization for Standardization (ISO)

Global

Yes

Yes

 

IT Control Objectives for Sarbanes-Oxley 2nd Edition

ISACA/ITGI

North America

Yes

Yes

 

NERC 1300

North American Electric Reliability Corporation

North America

 No

Yes

 

NERC CIP 002-009

North American Electric Reliability Corporation

North America

Yes

Yes

 

NERC CIP-002-4 - CIP-009-04

North American Electric Reliability Corporation

North America

Yes

Yes

 

NERC CIP 002-009-2

North American Electric Reliability Corporation

North America

 No

Yes

 

NIST SP 800-122

National Institute of Standards and Technology

Global

Yes

Yes

 

NIST SP 800-30

National Institute of Standards and Technology

Global

Yes

Yes

 

NIST SP 800-53 Rev. 1

National Institute of Standards and Technology

Global

Yes

Yes

 

NIST SP 800-53 Rev. 3

National Institute of Standards and Technology

Global

Yes

Yes

 

NIST SP 800-66 Rev. 1

National Institute of Standards and Technology

Global

Yes

Yes

 

PCI DSS v1.1

PCI Security Standards Council

Global

Yes

Yes

 

PCI DSS v1.2

PCI Security Standards Council

Global

Yes

Yes

 

PCI DSS v2.0

PCI Security Standards Council

Global

Yes

 No

 

SANS 20 Critical Security Controls - Version 3.0

SANS

Global

Yes

Yes

 

MAS IBTRMV3 - Monetary Authority of Singapore Internet Banking and Technology Risk Management Guidelines.

Monetary Authority of Singapore

Singapore

Yes

Yes

Added in SCU 2012-4

FEDRAMP - Federal Risk and Authorization Management Program V1.0

US - General Services Administration

North America

Yes

Yes

Added in SCU 2012-4

Criminal Justice Information Services (CJIS) Security Policy Version 5.0

US - Federal Bureau of Investigation (FBI)

North America

Yes

Yes

Added in SCU 2012-4

The World Bank Technology Risk Checklist 7.3

The World Bank

Global

Yes

Yes

 

VMware vSphere 4.1 Security Hardening

VMWARE

Global

Yes

Yes

 

VMware Hardening Guidelines ESXi 5.1 via vCenter

VMWARE

Global

Yes

No

Added in SCU 2013-3

US-CCU Cyber Security Checklist


US Cyber Consequences Unit

North America

No

Yes

 

TRUSTe Security Guidelines 2.0

TRUSTe

Global

 

Yes

 

SOX IT using CobiT 4.0

ISACA/ITGI

Global

No

Yes

 

SOX Compliance Toolkit - Corporate Governance Compliance Checklist

 

Global

No

Yes

 

SOX Compliance Toolkit - Audit Committee SOX Compliance Checklist

 

Global

No

Yes

 

SOX - The IT Dimension

 

Global

No

Yes

 

IT Control Objectives for SOX - Company-level Questionnaire

 

Global

No

Yes

 

IT Control Objectives for SOX - Assessing the Readiness of IT

 

Global

No

Yes

 

AICPA SOX Assessment - Other Questions for Management

American Institute of Certified Public Accountants

North America

No

Yes

 

AICPA SOX Assessment - Guidelines for Hiring CAE

American Institute of Certified Public Accountants

North America

No

Yes

 

AICPA SOX Assessment - Evaluation of the Independent Auditor

American Institute of Certified Public Accountants

North America

No

Yes

 

AICPA SOX Assessment - Evaluation of Internal Audit Team

American Institute of Certified Public Accountants

North America

No

Yes

 

AICPA SOX Assessment - COSO Framework

American Institute of Certified Public Accountants

North America

No

Yes

 

AICPA SOX Assessment - Conducting an Executive Session

American Institute of Certified Public Accountants

North America

No

Yes

 

SB1386- Recommended Practices on Notice of Security Breach

US - State Law

North America

No

Yes

 

Treasury Board of Canada - Privacy Impact Assessment Guidelines

Canada - Treasury Board

Canada

No

Yes

 

Business pandemic influenza planning checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Business Pandemic Influenza Planning for Overseas Operations Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Child Care and Preschool Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Colleges and Universities Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Correctional Facilities Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Emergency Med Services and Non-Emergent Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Faith-based and Community Org Pandemic Influenza Preparedness Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Health Insurer Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Home Health Care Services Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Hospital Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Law Enforcement Pandemic Influenza Planning Checklist

 U.S. Department of Health & Human Services

 

North America

No

Yes

 

Long-Term Care Facilities Pandemic Influenza Planning Checklist

 U.S. Department of Health & Human Services

 

North America

No

Yes

 

Medical Offices and Clinics Pandemic Influenza Planning Checklist

 U.S. Department of Health & Human Services

 

North America

No

Yes

 

School district (K-12) Pandemic Influenza Planning Checklist

 U.S. Department of Health & Human Services

 

North America

No

Yes

 

Travel Industry Pandemic Influenza Planning Checklist

 U.S. Department of Health & Human Services

 

North America

No

Yes

 

FFIEC Authentication Guidance

US - FFIEC

North America

No

Yes

 

FFIEC IT Examination Handbook Audit Booklet

US - FFIEC

North America

No

Yes

 

FFIEC IT Examination Handbook Information Security Booklet

US - FFIEC

North America

No

Yes

 

DoD Instruction 8500.2 Information Assurance (IA) Implementation-5.7.

US - Department of Defense

North America

No

Yes

 

CSA Consensus Assessments Initiative

Cloud Security Alliance

Global

No

Yes

 

C-TPAT - Importer Self-Assessment Questionnaire

US - Customs

North America

No

Yes

 

C-TPAT - Internal Control Management

US - Customs

North America

No

Yes

 

Email review

Symantec

Global

No

Yes

 

Physical Security

Symantec

Global

No

Yes

 

Security Assessment Checklist

Symantec

Global

No

Yes

 

Security Awareness Culture

Symantec

Global

No

Yes

 

Security Awareness Monthly Quizes

Symantec

Global

No

Yes

 

U.S Dep of Ag Food Sec Assessment

US - FDA

North America

No

Yes

 

IT Service Management Assessment

 Symantec

Global

No

Yes

 

BSI German Govt- IT_Security_Guidelines

German Govt

Germany

No

Yes

 

Cobit 5.0

ISACA/ITGI

Global

Yes

Yes

Added in SCU 2013-1

SANS 20 Critical Security Controls - Version 4.0

SANS

Global

Yes

Yes

Added in SCU 2013-1

NIST Special Publication 800-53 Revision 4

NIST

Global

Yes

Yes

Added in SCU 2013-2

Australian Government Information Security Manual v2.0 September 2012 Release

Australian Government (DSD)

Australia

Yes

Yes

Added in SCU 2013-2

Australian Prudential Regulation Authority (APRA) –

Prudential Practice Guide for Managing Data Risk

Prudential Practice Guide for Management of Security Risk in Information and Information Technology

Australian financial services industry

Australia

Yes

Yes

Added in SCU 2013-3

ISO/IEC 27001:2013

International Organization for Standardization (ISO)

Global

Yes

Yes

Added in SCU 2013-3

PCI DSS 3.0

The Payment Card Industry Data Security Standard (PCI DSS)

Global

Yes

Yes

Added in SCU 2014-1

NIST Cybersecurity Framework Core Version 1.0

The Commerce Department's National Institute of Standards and Technology (NIST)

Global

Yes

Yes

Added in SCU 2014-1



Predefined CCS Standards

Predefined CCS standards are present in the Predefined folder in the tree pane of the CCS Standards view. The predefined standards are not editable, but can be copied to the user-defined folder. The copies can then be modified.


The existing CCS predefined standards are listed in the following table:


CCS Platform

Predefined CCS Standard

Corresponding Target Type(s)

SCU Release Version

Comments

Cisco

Security Essentials for Cisco IOS 15.0M Routers

Cisco IOS 15.0M Routers

CCS 11.1

SCU 2014-3

Updated in the CCS 11.1 SCU 2015-1

DB2

CIS Security Benchmark for DB2 v4.0

  • All ESM Agent Machines (deprecated)
  • DB2 Databases
  • CCS 11.0 SCU 2012-4
  • CCS 11.1 SCU 2014-3

Used in the message-based data collection

Microsoft Exchange

CIS Security Configuration Benchmark v1.1.0 For Microsoft Exchange Server 2007

  • Exchange 2007 Hub Transport Servers
  • Exchange Organization
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Security Essentials for Exchange 2010

  • Exchange Organization

· Exchange 2010 Hub Transport Servers

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Oracle

CIS Oracle Database Server 11g Security Benchmark v1.0.1

  • Oracle 11g Databases
  • Oracle 11g Windows Databases
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Updated in the CCS 11.x SCU 2015-1

Security Essentials for Oracle Database Server 12c

Oracle 12c Databases

  • CCS 11.0 SCU 2015-1
  • CCS 11.1 SCU 2015-1

SQL

CIS Security Configuration Benchmark for Microsoft SQL Server 2005 v1.1.1

  • SQL Server 2005 Instances
  • SQL Server Instances
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Security Configuration Benchmark for Microsoft SQL Server 2008 R2 Database v1.0.0

SQL Server 2008 Instances

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Security Essentials for Microsoft SQL Server 2008

  • SQL Server 2008 Instances
  • SQL Databases
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Security Essentials for Microsoft SQL Server 2012

SQL Server 2012 Instances

  • CCS 11.0 SCU 2014-1
  • CCS 11.1 SCU 2014-3

Security Essentials for Microsoft SQL Server 2014

SQL Server 2014 Instances

  • CCS 11.0 SCU 2014-4
  • CCS 11.1 SCU 2014-4

The Australian Government Information and Communications Technology Security Manual for MS-SQL Server

  • SQL Server 2000 Instances
  • SQL Server Instances
  • CCS 11.0 SCU 2014-1
  • CCS 11.1 SCU 2014-3

SYBASE

ESM - CIS Benchmark for Sybase ASE v1.1.0

· All UNIX ESM Agent Machines (deprecated)

  • Sybase Servers
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Used in message-based data collection

Updated in the CCS 11.0 SCU 2012-4

UNIX

Advanced Checks

UNIX Machines

  • CCS 11.0 SCU 2012-3
  • CCS 11.1 SCU 2014-3

CIS Benchmark v1.1.2 for Red Hat Enterprise Linux 5.0 and 5.1

· Red Hat Enterprise Linux 5.0 and Later Machines

· Red Hat Enterprise Linux 3.0 and Later Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Updated in the CCS 11.0 SCU 2013-1

CIS Red Hat Enterprise Linux 6.x Benchmark v1.2.0

Red Hat Enterprise Linux 6.x Machines

  • CCS 11.0 SCU 2013-2
  • CCS 11.1 SCU 2014-3

CIS Security Benchmark for HP-UX v1.3.1

  • HP-UX 11.x Machines
  • HP-UX 11.11 Machines
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Solaris 10 Benchmark v4.0

Solaris 10 Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS SUSE Linux Enterprise Server 10 Benchmark v2.0.0

SUSE Linux Enterprise Server 10 and Later Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Security Essentials for AIX 5.x and 6.1

  • AIX 5.1 and later Machines
  • AIX 6.1 Machines
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Security Essentials for AIX 7.1

AIX 7.1 Machines

  • CCS 11.0 SCU 2015-1
  • CCS 11.1 SCU 2015-1

· Released in the Express SCU for AIX 7.1

· Later integrated with the CCS 11.x SCU 2015-1

Security Essentials for Red Hat Enterprise Linux 7.x

Red Hat Enterprise Linux 7.x Machines

  • CCS 11.0 SCU 2014-4
  • CCS 11.1 SCU 2014-4

Security Essentials for Solaris 11

Solaris 11 Machines

  • CCS 11.0 SCU 2015-1
  • CCS 11.1 SCU 2015-1

Security Essentials for SUSE Linux Enterprise Server

SUSE Linux Enterprise Server 9 Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Security Essentials for SUSE Linux Enterprise Server 10 and SUSE Linux Enterprise Server 11

· SUSE Linux Enterprise Server 11 Machines

· SUSE Linux Enterprise Server 10 and 11 Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Security Essentials for Ubuntu 12.04 and 14.04 LTS Server

  • Ubuntu 14.04 Machines
  • Ubuntu 12.04 Machines
  • CCS 11.0 SCU 2015-1
  • CCS 11.1 SCU 2015-1

· Released as Security Essentials for Ubuntu 12.04 LTS Server in the CCS 11.0 SCU 2014-1 and CCS 11.1 SCU 2014-3 respectively

· Updated in the Express SCU for Ubuntu 14.04 LTS Server

· Later integrated with the CCS 11.x SCU 2015-1

UNIX Applications

CIS Security Configuration Benchmark v3.0.0 For Apache HTTP Server 2.2

UNIX Machines with Apache Installed

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Security Essentials for Apache HTTP Server 2.4

UNIX Machines with Apache Installed

  • CCS 11.0 SCU 2015-1
  • CCS 11.1 SCU 2015-1

· Released in the Express SCU for Apache HTTP Server 2.4

· Later integrated with the CCS 11.x SCU 2015-1

Security Essentials for WebSphere Application Server (WAS) V7 and V8.x

UNIX Machines with IBM WebSphere Application Server Installed

  • CCS 11.0 SCU 2015-1
  • CCS 11.1 SCU 2015-1

· Released as Security Essentials for WebSphere Application Server (WAS) V7 in the CCS 11.0 SCU 2012-4 and the CCS 11.1 SCU 2014-3

· Updated in the Express SCU for WebSphere Application Server (WAS) 8.x

· Later integrated with the CCS 11.x SCU 2015-1

UNIX Message Based

Change Notifications for UNIX

  • UNIX Machines

· All UNIX ESM Agent Machines (deprecated)

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Security Benchmark for HP-UX v1.5.0

  • All HP-UX Machines

· HP-UX 11i ESM Agent Machines (deprecated)

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Updated in the CCS 11.0 SCU 2012-4

ESM - CIS Security Benchmark for AIX v5.3_6.1

All AIX Machines

  • CCS 11.0 SCU 2012-3
  • CCS 11.1 SCU 2014-3

Updated in the CCS 11.0 SCU 2012-4

CIS Security Benchmark for Red Hat Enterprise Linux 5.0 and 5.1 v1.1.2

· All Red Hat Enterprise Linux Machines

· Red Hat Enterprise Linux 5 ESM Agent Machines (deprecated)

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Updated in the CCS 11.0 SCU 2012-4

CIS Security Benchmark for Sun Solaris 10 V4.0

  • Solaris 10 Machines

· Sun Solaris 10 ESM Agent Machines (deprecated)

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

UNIX Patch Standard

Comprehensive Patch Standard for AIX

  • AIX 5.3 Machines
  • AIX 6.1 Machines
  • AIX 7.1 Machines
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Updated when the new AIX patches are available

VMware

CIS Security Benchmark for VMware ESX 4.1 v1.0.0 via Unix

VMware ESX Server 4.1 Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

· Released in the CCS 11.0 SCU 2012-1 as CIS Security Benchmark for VMware ESX 4.1 v1.0.0

  • Updated in the CCS 11.0 SCU 2013-3

Security Essentials for VMware ESX 4.1 via vCenter

VMware ESXI Server 4.x Machines

  • CCS 11.0 SCU 2012-3
  • CCS 11.1 SCU 2014-3

Updated in the CCS 11.0 SCU 2012-4

Security Essentials for VMware ESX Server 4.x via Unix

VMware ESX Server 4.x Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

· Released in the CCS 11.0 SCU 2012-1 as Security Essentials for VMware ESXi 4.x

  • Updated in the CCS 11.0 SCU 2013-3

VMware Hardening Guidelines ESX 4.x via Unix

VMware ESX Server 4.x Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

· Released in the CCS 11.0 SCU 2012-1 as VMware Hardening Guidelines ESX 4.x

  • Updated in the CCS 11.0 SCU 2013-3

VMware Hardening Guidelines ESXi 4.x via vCenter

VMware ESXI Server 4.x Machines

  • CCS 11.0 SCU 2012-3
  • CCS 11.1 SCU 2014-3

· Released in the CCS 11.0 SCU 2012-1 as VMware Hardening Guidelines ESXi 4.x via vCenter

  • Updated in the CCS 11.0 SCU 2013-3

VMware Hardening Guidelines ESXi 5.x via vCenter

VMware ESXI Server 5.x Machines

  • CCS 11.0 SCU 2013-3
  • CCS 11.1 SCU 2014-3

· Released as VMware Hardening Guidelines ESXi 5.1 via vCenter in the CCS 11.0 SCU 2013-3

  • Updated in the CCS 11.0 SCU 2014-2

VMware Hardening Guidelines for vCenter 5.x Servers

VMware vCenter Servers

  • CCS 11.0 SCU 2014-2
  • CCS 11.1 SCU 2014-3

VMware Hardening Guidelines for vCenter Servers via Windows

VMware vCenter 4.x and 5.x Servers

  • CCS 11.0 SCU 2012-3
  • CCS 11.1 SCU 2014-3

· Released as VMware Hardening Guidelines for vCenter Servers in the CCS 11.0 SCU 2012-3

· Updated in the CCS 11.0 SCU 2014-2

Windows

CIS Benchmark for IIS 5.0 and 6.0 for Microsoft Windows 2000, XP and Server 2003 v1.0

IIS 5.0 and 6.0 Servers

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Legacy Security Settings Benchmark for Windows 2003 Domain Controller v2.0

Windows 2003 Domain Controller Servers

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Legacy Settings Benchmark for Windows XP Professional v2.01

Windows XP Professional Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Microsoft Windows Server 2012 V 1.0.0

  • Windows Server 2012 R2 Machines
  • Windows Server 2012 Machines
  • CCS 11.0 SCU 2013-2
  • CCS 11.1 SCU 2014-3

Updated in the CCS 11.0 SCU 2014-1

CIS Security Configuration Benchmark For Microsoft Windows Server 2008 and Windows Server 2008 R2

· v1.1.0 Windows Server 2008 and 2008 R2 Machines

  • Windows Server 2008 Machines
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Security Configuration Benchmark for Windows 7 v1.1.0

Windows 7 Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Windows Server 2003 Legacy Security Settings for Domain Member Servers v2.0

Windows 2003 Standalone and Member Servers

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

The Australian Government Information and Communications Technology Security Manual for Windows

  • Windows 2000 Machines
  • Windows 2003 Machines
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

US Federal Desktop Core Configuration Standard (FDCC) V1.0.1 for Windows Vista

Windows Vista Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Windows Applications

CIS Security Configuration Benchmark For Microsoft IIS 7.0 v1.1.0

IIS 7.0 or Later Servers

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Security Essentials for Apache Tomcat Server 5.x - 8.x

All Windows Machines With Apache Tomcat Server Installed

  • CCS 11.0 SCU 2015-1
  • CCS 11.1 SCU 2015-1

· Released as Security Essentials for Apache Tomcat Server 5.5/6.0 in the CCS 11.0 SCU 2012-3 and CCS 11.1 SCU 2014-3 respectively

· Updated in the Express SCU for Apache Tomcat 7.0 and 8.0

· Later integrated with the CCS 11.x SCU 2015-1

Security Essentials for SharePoint Servers 2007

Windows SharePoint Servers 2007

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Security Essentials for Symantec Endpoint Protection

All Windows Machines

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Windows Message Based

Change Notifications for Windows

  • All Windows Machines

· All Windows ESM Agent Machines (deprecated)

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Legacy Security Settings Benchmark for Windows 2003 Domain Controller v2.0

· Windows 2003 Domain Controller Servers

· Windows 2003 ESM Agent Machines (deprecated)

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Security Benchmark for Windows 2008 Domain Controller v1.0.0

· Windows 2008 Domain Controller Servers

· Windows 2008 ESM Agent Machines (deprecated)

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Security Benchmark for Windows 2008 Domain Member Servers v1.0.0

· Windows 2008 Standalone and Member Servers

· Windows 2008 ESM Agent Machines (deprecated)

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

CIS Windows Server 2003 Legacy Security Settings for Domain Member Servers v2.0

  • Windows 2003 Machines

· Windows 2003 ESM Agent Machines (deprecated)

  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

ESM - OS Patches Comprehensive

  • All Windows Machines
  • Windows Server 2012 Machines
  • Windows Server 2012 R2 Machines
  • Windows 7 Machines
  • Windows 2008 Machines
  • Windows 2008 R2 Machines
  • Windows XP Professional Machines
  • Windows 2000 Server Machines
  • Windows Vista Machines
  • Windows 2003 Machines
  • All Red Hat Non-enterprise Linux Machines
  • All HP-UX Machines
  • All AIX Machines
  • Solaris Servers
  • Solaris 2.6 and Later Machines
  • All SUSE Linux Machines
  • UNIX Machines
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Updated every month

Windows Patch Standard

Comprehensive Windows Patch Assessment Standard

  • All Windows Machines
  • Windows Server 2012 Machines
  • Windows Server 2012 R2 Machines
  • Windows 7 Machines
  • Windows 2008 Machines
  • Windows 2008 R2 Machines
  • Windows XP Professional Machines
  • Windows 2000 Server Machines
  • Windows Vista Machines
  • Windows 2003 Machines
  • CCS 11.0 SCU 2012-1
  • CCS 11.1 SCU 2014-3

Updated every month

 

 

Security Response Blog
The State of Spam