CIS Compliance Customization

Overview

The Center for Internet Security (CIS) provides globally recognized benchmarks to securely configure systems, applications, and networks. However, these rules may not be directly applicable to every organization’s compliance and operational requirements.

Compliance needs vary across industries. Healthcare organizations must protect sensitive patient data, while financial institutions focus on transaction security, fraud prevention, and auditability. Each sector has distinct regulatory demands, making it essential to adapt security configurations accordingly. For example, retail organizations prioritize securing payment systems and customer data, while government entities emphasize strict access controls and data sovereignty. Similarly, manufacturing environments often need to balance security with operational continuity to avoid disruptions.

With Endpoint Central, organizations can create custom compliance rules, build policy templates from scratch, or modify existing rules to align with these specific requirements. This enables CIS policies to be tailored for different use cases and consistently enforced across endpoints, ensuring effective and streamlined compliance management.

To create custom compliance policies or customize the existing CIS policies, select Threats & Patches ---> Threats ---> Compliance ---> Policy Templates, and then click on Create Custom Policy and then select the operating system for which you want to customize the policy: Windows or Linux.

Create Custom Rules

By clicking on Create Custom Rules, you yourself can define specific compliance conditions tailored to your organization’s security requirements. In other words, you can build rules from scratch and create new policy or rule groups to organize and manage them effectively.

Once you click on this, configure the rule group settings by selecting the OS/Software Identifier and filling in the Rule Group Details, such as naming the Rule Group and providing a Summary for it. Once you have configured these settings, click on Save. You will then see the newly created Policy (or Rule Group) listed.

Note: Ensure that the rules and policies you select from existing ones while customizing or importing are of the same OS/Software Identifier.

If there is a mismatch, the rule will still be audited but marked as Not Applicable. For example, if a rule like "Ensure Password Policy Minimum Length is set to 14 characters (Windows 10)" is created for Windows 10 but applied to a Windows 11 machine, the compliance check will not match the OS version, and the compliance audit will be performed but the rule will be returned as Not Applicable.

Hence always select matching OS and software identifiers for accurate compliance results.

To create rules from the scratch within this policy, click on the policy name and select Add Rule after clicking on the Action. Create Rule interface will be opened, where you need to define and configure compliance rule settings. You need to enter a rule name and by clicking on Show Additional Information, you can add more context to the rule by navigating through the available tabs. Use the Summary tab to briefly describe what the rule checks, switch to the Rationale tab to explain why the rule is important, and move to the How to Fix tab to provide the necessary remediation steps for resolving non-compliance. Select a rule category, such as password policy, registry policy, account lockout, or SID validation, depending on what type of system check is needed and then specify conditions through a criteria pattern that determines how these checks are evaluated for the selected category. You can also manage multiple checks by adding new ones by clicking on Add New Check, which together form the rule logic. There is also an option to include additional information for more detailed configuration. In this interface, configure the rule settings for checks as required click on Save Rule.

By clicking on Action button against rule group, you can also create a sub-group of rules by clicking on Create Sub-Group, or import the rules from other exisiting policies by clicking on Import Rule. You can also move these rules across different rule groups based on your preferences by clicking on Move button.

Import and Customize Existing Policies

By clicking on Import Rules, you can import multiple rules from any number of existing policies to create a unique rule group with a customized name, OS/Software Identifier, and Summary.

Additionally, by clicking on Edit button on an existing rule, you can modify it by configuring the rule settings as required by your organization and then saving the changes and publishing the policy. You can also move these rules across different rule groups based on your preferences by clicking on Move.

Use Custom Policies for Compliance Audits

Once you have configured the required customizations for a policy, click on Save and Publish.

Your customized policies will appear in the Policy Templates section as Published. You can then use them to create policy groups and scan these rules against target computers, which effectively performs a compliance audit to assess their adherence, helping you maintain consistent and effective compliance management across your environment.

From the Policy Templates section, you can delete a custom compliance policy that you created. Click the Action button next to the policy name, then select Move to Trash.

To view deleted policies, click View Trash. Policies in Trash are automatically deleted after 30 days without any notifications.