The Center for Internet Security (CIS), a not-for-profit organization focused on enhancing cyber security readiness and response in the public and private sectors, today announced the release of benchmarks that provide security configuration guidance for two of the leading database servers in the enterprise marketplace: Oracle Database 11g R2 and Microsoft SQL Server 2008 R2 Database Engines. By implementing these CIS benchmarks, users can now follow a well-established list of settings to safely harden their systems.

The CIS Oracle Database 11g R2 and CIS Microsoft SQL Server 2008 R2 Benchmarks include specific, detailed guidance for a wide range of security configuration settings, including recommendations for auditing and logging, file/directory permissions and system authentication.

These CIS security guides are the result of a consensus-based peer review process of subject matter experts, providing perspectives from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government and legal. Dr. Alan Carter Covell of Qualys, along with Alexander Kornbrust of Red Database Security, Paul Wright, and Kevvie Fowler of Ringzero, Inc. provided key contributions to this effort.

“Database security is essential for organizations of all sizes and across all sectors, particularly as our data becomes more critical to business operations and the need to better protect it grows. These new CIS benchmarks provide clear, results-oriented guidance to help entities implement security for their data and database systems,” said Rick Comeau, Executive Director, CIS Security Benchmarks Division. “We are pleased to work with our industry partners and subject matter experts to develop these consensus-based resources and make them available to a broad audience.”

The new CIS Security Configuration Benchmarks are available for download free-of-charge on the CIS website:

Oracle Database 11g R2
Microsoft SQL 2008 R2

For access to all CIS Benchmarks, which provide recommended secure configuration controls spanning server and desktop operating systems, network and mobile devices, desktop software applications and more, visit CIS Security Benchmarks. CIS Benchmarks are widely accepted by auditors to meet a number of compliance requirements, including those within FISMA, PCI, HIPAA and GLB.

CIS also encourages those interested in volunteering their time and expertise to the consensus development of future CIS security benchmarks to sign up online.

About the Center for Internet Security

The Center for Internet Security (CIS) is a not-for-profit organization whose mission is to enhance the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. The CIS Security Benchmarks Division provides cost-effective, consensus-based and internationally recognized solutions that help organizations improve their cyber security and compliance posture.