The Center for Internet Security (CIS) is a non-profit organization that puts forth security benchmarks and checklists. Recently as noted in the Microsoft Secure blog, CIS released its CIS Microsoft 365 Foundations Benchmark version 1.0.0. It includes two levels of instructions that allow you to choose if you want \u201clight\u201d security or \u201cheavy\u201d security.Level 1\u2014Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.Level 2\u2014Recommended security settings for highly secure environments and could result in some reduced functionality.For example, the benchmark gives you actionable items to implement in your organization such as multifactor authentication (MFA): Center for Internet SecurityImplement MFATo obtain these documents, log into the CISecurity.org website and download the guides. They are also requesting feedback. You can sign up on the site and then provide feedback where the settings have or have not worked for you.The document sets forth the recommendation and then provides the rationale for the recommendation. For example, the recommendation currently on password expirations is not to not expire passwords and add two-factor authentication (2FA) as a protection device:Description:Review the password expiration policy to ensure that user passwords in Office 365 are not set to expire.Rationale:NIST has updated their recommendation to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it.Then it provides information about how you can confirm that the policy you chose was set properly. In the case of passwords, you can audit the setting as shown: Center for Internet SecurityAudit password policyThe final section is a checklist of all the recommended settings in the document. Center for Internet SecurityChecklist for recommended Microsoft 365 security settingsI highly recommend downloading the document and reviewing the recommended settings. I guarantee you will find some settings you never knew about.If you run Office 365 rather than Microsoft 365, the CIS guidance still has value, as many of the same concepts apply. Additional resources for Office 365 can be found on the Office 365 Security and Compliance site.