import { DocumentSource, SecurityDocument } from "../types.js";
export class CISSource implements DocumentSource {
name = "CIS";
async fetchDocuments(): Promise<SecurityDocument[]> {
const documents: SecurityDocument[] = [];
try {
console.error("Fetching CIS documents...");
// CIS Benchmarks Overview
documents.push({
id: "cis-benchmarks-overview",
source: "CIS",
title: "CIS Benchmarks Overview",
url: "https://www.cisecurity.org/cis-benchmarks",
content: `CIS Benchmarks are consensus-based secure configuration guidelines for systems and software. Developed by cybersecurity professionals, government entities, and industry. Benchmarks cover: Operating Systems (Windows, Linux, macOS, Unix), Cloud Providers (AWS, Azure, Google Cloud), Mobile Devices (iOS, Android), Network Devices (Cisco, Palo Alto), Databases (Oracle, SQL Server, MySQL, PostgreSQL), Web Servers and Applications. Each benchmark contains two levels: Level 1 - essential basic security requirements, practical and prudent, minimal negative impact. Level 2 - defense in depth measures, intended for high-security environments, may reduce functionality. Benchmarks are regularly updated to address new threats. Implementation can be manual or automated using configuration management tools. CIS-CAT Pro tool automates compliance assessment. Benefits include reduced risk, compliance support, community consensus, vendor neutral guidance.`,
category: "Configuration Management",
lastUpdated: new Date(),
metadata: { framework: "CIS Benchmarks" },
});
// CIS Controls IG1
documents.push({
id: "cis-controls-ig1",
source: "CIS",
title: "CIS Controls Implementation Group 1 (IG1)",
url: "https://www.cisecurity.org/controls",
content: `CIS Controls IG1 is baseline cybersecurity for small to medium organizations with limited resources and cybersecurity expertise. IG1 includes 56 safeguards across 18 controls focused on: Basic cyber hygiene - essential security practices all organizations should implement. Includes: Asset Management - maintain inventory of authorized devices and software. Data Protection - protect sensitive data. Secure Configuration - establish secure baseline configurations. Access Control - limit and control access to systems and data. Vulnerability Management - identify and remediate vulnerabilities. Logging and Monitoring - collect and review logs. Email and Web Protections - protect email and web browsing. Malware Defense - deploy anti-malware tools. Data Recovery - maintain backups and test recovery. Security Awareness Training - train users on security risks. IG1 suitable for organizations with: limited IT staff, essential IT services, handling standard office applications, working with sensitive information requiring basic protection. Start with IG1 before advancing to IG2 or IG3.`,
category: "Security Controls",
lastUpdated: new Date(),
metadata: { framework: "CIS Controls", level: "IG1" },
});
// CIS Controls IG2
documents.push({
id: "cis-controls-ig2",
source: "CIS",
title: "CIS Controls Implementation Group 2 (IG2)",
url: "https://www.cisecurity.org/controls",
content: `CIS Controls IG2 builds on IG1 for organizations managing IT infrastructure with dedicated IT staff. IG2 includes 74 additional safeguards (total 130) covering: Network Infrastructure Management - secure network device configuration and monitoring. Network Monitoring and Defense - detect and respond to network threats. Service Provider Management - establish requirements for service providers. Application Security - secure application development and deployment. Advanced protections including: Automated asset discovery, Centralized log management, Advanced email security, Network segmentation, Penetration testing, Application whitelisting. IG2 appropriate for organizations with: Dedicated IT security personnel, Medium complexity IT environment, Compliance requirements, Multiple locations or business units, Sensitive data requiring enhanced protection, Customer data handling responsibilities. Requires more sophisticated tools and processes than IG1. Organizations typically spend 12-18 months implementing IG2 safeguards after achieving IG1 compliance.`,
category: "Security Controls",
lastUpdated: new Date(),
metadata: { framework: "CIS Controls", level: "IG2" },
});
// CIS Controls IG3
documents.push({
id: "cis-controls-ig3",
source: "CIS",
title: "CIS Controls Implementation Group 3 (IG3)",
url: "https://www.cisecurity.org/controls",
content: `CIS Controls IG3 represents comprehensive cybersecurity for organizations with high-value data and sophisticated threats. IG3 includes all 153 safeguards across all 18 controls. Additional IG3 safeguards focus on: Advanced threat protection, Sophisticated monitoring and detection, Proactive security measures, Red team exercises, Advanced incident response, Security operations center (SOC) capabilities. Key IG3-specific requirements: Advanced malware protection with behavioral analysis, SIEM implementation and 24/7 monitoring, Advanced penetration testing including red team, Application security including SAST/DAST, Advanced network segmentation with microsegmentation, Threat intelligence integration, Advanced logging and forensics capabilities. IG3 appropriate for: Large enterprises, Regulated industries (financial, healthcare, critical infrastructure), Organizations with high-value intellectual property, Targets of advanced persistent threats (APTs), Security service providers. Requires: Dedicated security team, Advanced security tools and technologies, Significant budget for security, Mature processes and governance. IG3 represents state-of-the-art cybersecurity posture.`,
category: "Security Controls",
lastUpdated: new Date(),
metadata: { framework: "CIS Controls", level: "IG3" },
});
// CIS RAM (Risk Assessment Method)
documents.push({
id: "cis-ram",
source: "CIS",
title: "CIS Risk Assessment Method (RAM)",
url: "https://www.cisecurity.org/",
content: `CIS Risk Assessment Method (RAM) helps organizations prioritize security investments based on risk. Methodology includes: 1. Asset Identification - identify critical assets and information systems. 2. Threat Assessment - identify relevant threat actors and attack vectors. 3. Vulnerability Assessment - identify vulnerabilities in systems and processes using CIS Benchmarks and Controls. 4. Impact Analysis - determine potential business impact of successful attacks. 5. Risk Calculation - combine likelihood and impact to calculate risk scores. 6. Control Gap Analysis - compare current state against CIS Controls to identify gaps. 7. Prioritization - prioritize remediation based on risk scores and resource availability. RAM integrates with CIS Controls framework to provide risk-based implementation roadmap. Benefits include: objective risk quantification, alignment with business priorities, efficient resource allocation, executive communication tool, continuous monitoring and improvement. RAM helps organizations answer: Which controls should we implement first? Where should we invest limited resources? How do we demonstrate risk reduction to leadership?`,
category: "Risk Management",
lastUpdated: new Date(),
metadata: { framework: "CIS RAM" },
});
console.error(`Fetched ${documents.length} CIS documents`);
} catch (error) {
console.error("Error fetching CIS documents:", error);
}
return documents;
}
}
