If you follow the CIS Benchmark, do you buy older hardware?

obi-k
Valued Contributor III

Hi,

For organizations following the macOS CIS Benchmark, I am wondering how you or your procurement group handles purchasing Macs.

For example, if you put an order in for the 2019 iMac model, it comes with 10.14.4 installed and can't downgrade to approved CIS Benchmarks, which is at 10.13 High Sierra. Once the CIS Benchmark drops, it takes time for our internal security group to approve and lay down their revisions.

How are you folks handling this at your organization? Any hints, gotchas, best practices?

1 REPLY 1

joshsw
New Contributor II

We use the CIS benchmark. For newer machines that come with a higher version than the benchmark is designed for I make it match as many of the items as possible. Most times the newer version exceeds the requirements in the benchmark. I then document the differences or items we don't set for our security team who have it for audits