If you’re not familiar with the Center for Internet Security, here’s the organization’s mission statement:
The Mission of the Center for Internet Security is to enhance the security readiness and response of public private sector entities, with a commitment to excellence through collaboration.
CIS produces consensus-based, best practice secure configuration benchmarks and security automation content, and serves as the key cyber security resource for state, local, territorial and trial governments, including chief security officers, homeland security advisors and fusion centers. CIS provides products and resources that help partners achieve security goals through expert guidance and cost-effective solutions.
That consensus-based part means it’s mostly community-sourced. That means if you work on a product with a security benchmark, you can contribute. I bring this up because there are security benchmarks for SQL Server available for download and we are always looking for knowledgeable folks to contribute their expertise. This link is to the released version of the benchmark for the relevant SQL Server versions.
Not only are the finalized release versions of the benchmarks available, but we also are actively working on the benchmarks all the time. As a result, the next version of each benchmark is typically available for comments and proposed changes as a draft. The more knowledgeable folks contribute, the better we can make these benchmarks, which hopefully results in more secured SQL Servers around the world.
Also, once a product version has been out long enough, we start a benchmark for it, too. That means we’ve begun the security benchmark for SQL Server 2014. We’d love contributions from the community to make this a solid benchmark with its 1.0 release. If you have the time and experience working with SQL Server 2014 security, please take a look. The current draft is a copy of the 2012 one, so there are definitely changes to be made. Thanks!