Follow the guidance in this CIS document to configure Microsoft 365 security settings to the level that suits your organization. Credit: ivanastar / Getty Iimages The Center for Internet Security (CIS) is a non-profit organization that puts forth security benchmarks and checklists. Recently as noted in the Microsoft Secure blog, CIS released its CIS Microsoft 365 Foundations Benchmark version 1.0.0. It includes two levels of instructions that allow you to choose if you want “light” security or “heavy” security.Level 1—Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.Level 2—Recommended security settings for highly secure environments and could result in some reduced functionality.For example, the benchmark gives you actionable items to implement in your organization such as multifactor authentication (MFA): Center for Internet SecurityImplement MFATo obtain these documents, log into the CISecurity.org website and download the guides. They are also requesting feedback. You can sign up on the site and then provide feedback where the settings have or have not worked for you.The document sets forth the recommendation and then provides the rationale for the recommendation. For example, the recommendation currently on password expirations is not to not expire passwords and add two-factor authentication (2FA) as a protection device: Description:Review the password expiration policy to ensure that user passwords in Office 365 are not set to expire.Rationale:NIST has updated their recommendation to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it.Then it provides information about how you can confirm that the policy you chose was set properly. In the case of passwords, you can audit the setting as shown: Center for Internet SecurityAudit password policyThe final section is a checklist of all the recommended settings in the document. Center for Internet SecurityChecklist for recommended Microsoft 365 security settingsI highly recommend downloading the document and reviewing the recommended settings. I guarantee you will find some settings you never knew about.If you run Office 365 rather than Microsoft 365, the CIS guidance still has value, as many of the same concepts apply. Additional resources for Office 365 can be found on the Office 365 Security and Compliance site. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe