The Center for Internet Security (CIS) is a non-profit organization that puts forth security benchmarks and checklists. Recently as noted in the Microsoft Secure blog, CIS released its CIS Microsoft 365 Foundations Benchmark version 1.0.0. It includes two levels of instructions that allow you to choose if you want “light” security or “heavy” security.
- Level 1—Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
- Level 2—Recommended security settings for highly secure environments and could result in some reduced functionality.
For example, the benchmark gives you actionable items to implement in your organization such as multifactor authentication (MFA):
To obtain these documents, log into the CISecurity.org website and download the guides. They are also requesting feedback. You can sign up on the site and then provide feedback where the settings have or have not worked for you.
The document sets forth the recommendation and then provides the rationale for the recommendation. For example, the recommendation currently on password expirations is not to not expire passwords and add two-factor authentication (2FA) as a protection device:
Review the password expiration policy to ensure that user passwords in Office 365 are not set to expire.
NIST has updated their recommendation to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it.
Then it provides information about how you can confirm that the policy you chose was set properly. In the case of passwords, you can audit the setting as shown: