Skip to content

Security & Hardening Benchmarks

Approach

Versio.io enables you to seamlessly import security and hardening benchmark results from any benchmark scanner, analyse and manage them centrally, integrate them with your existing IT context (CMDB, security requirements) and feed them into your ISMS or risk management framework. Instead of leaving data isolated in proprietary scanner tools or static reports, Versio.io consolidates this information in a vendor-neutral manner. This makes compliance with requirements (such as CIS benchmarks, Ubuntu Security Guides or internal hardening policies) continuously measurable, traceable and manageable.

Added values

With Versio.io, we transform rigid compliance benchmark results into a dynamic and action-oriented management approach. Instead of simply ploughing through static PDF reports, we turn benchmark results into manageable entities and offer you the following concrete benefits:

  • Tool-agnostic & multi-vendor strategy – breaking down data silos We process benchmark non-compliances from a wide variety of sources centrally on a single platform (e.g. CIS-CAT, Ubuntu Security Guide, OpenSCAP, Lynis, DevSec Hardening Framework). This independence ensures you have the freedom to choose between commercial and open-source scanners in a mixed environment, prevents isolated data silos and ensures optimal cost control.

  • Benchmarks in the Context of the Digital Twin We map the direct relationship between identified benchmark violations and the affected assets or CMDB CIs. This digital twin provides you with the full IT context for every vulnerability, transforming isolated alerts into comprehensible connections.

  • Comprehensive historical tracking & root cause analysis Every benchmark result is continuously logged. Thanks to this comprehensive record-keeping and the deep integration of the Digital Twin, whenever a benchmark status changes, you can immediately see why this has occurred and carry out targeted root cause analyses.

  • Smart, risk-based prioritisation In light of strict compliance requirements (such as Level 2 guidelines), Versio.io helps you deploy your resources efficiently. Non-compliances are prioritised on a risk-based basis and according to specific security needs assessments (e.g. PROD vs. TEST), ensuring that critical systems always take precedence.

  • Seamless integration with ISMS & risk management Technical hardening and organisational compliance merge into a single, end-to-end process. Versio.io seamlessly transfers failed benchmark results into your Information Security Management System (ISMS). In this way, isolated technical findings are transformed into directly manageable risks, which you can assess, document and address comprehensively and in an auditable manner through targeted measures (risk treatment) in line with regulatory requirements (such as ISO 27001 or NIS2).

Assessment of Compliance and Security Benchmarks

To meaningfully assess the status of IT security and adherence to regulatory frameworks (such as CIS, NIST, or PCI DSS) in the central management process, two different metrics are used:

Fulfillment

Fulfillment (absolute fulfillment rate) indicates the purely quantitative proportion of successfully passed checks (rules/checks) in relation to the total number of configured checks.

  • Calculation: (Number of fulfilled rules / Total number of applied rules) * 100
  • Significance: This value provides a quick, absolute overview of how many requirements of a framework have been mathematically processed and implemented. All rules are treated equally here—regardless of whether an unfulfilled rule represents a minimal or a business-critical risk.

Fulfillment weighted

Fulfillment weighted (weighted fulfillment rate) provides a more detailed, risk-based assessment. Here, the results of the individual rule executions are additionally weighted according to their specific Severity.

The higher the criticality of a rule, the more weight it carries in the calculation. A typical distribution of weighting factors (which may vary slightly depending on the system or standard used) looks as follows:

Severity Weighting Factor Description of Impact
Critical 1.000 Very high, business-critical risk. Non-fulfillment pulls the score down massively. Highest priority for remediation.
High 100 High risk. Strongly impacts the score. Timely remediation is urgently required.
Medium 10 Moderate risk. Visible but medium impact on the overall rating.
Low 1 Low risk (often best practices). Has only marginal effects on the weighted score.
  • Significance: This value reflects the actual risk situation much more precisely than the purely quantitative fulfillment.
  • Practical Use: The weighted fulfillment rate is the decisive control instrument for IT security management. Prioritizing measures by severity ensures that administrators use their time efficiently: Remediating a few critical findings improves the "Fulfillment weighted" score much faster and more effectively than the mass processing of "Low" findings.

Use cases

Benchmark device dashboard

In the detailed view of an individual asset (e.g., a server or network device), Versio.io provides a dedicated overview of all current benchmark test results.

  • At a glance: You can immediately see the device’s overall compliance score, the number of passed and failed checks, and the specific discrepancies (e.g., unencrypted protocols or incorrect file permissions).
  • Full detail: Each violation is displayed along with the metadata provided by the scanner, the affected configuration line, and the official recommendations for remediation.
  • Timeline: An integrated history shows when a violation first occurred or whether it was successfully resolved following a configuration update.

Benchmark analysis by device

Figure: Benchmark analysis by device

Benchmark governance dashboard

For IT management and the Chief Information Security Officer (CISO), the Benchmark Governance Dashboard in Versio.io provides an aggregated overview of benchmark results across the entire IT infrastructure.

  • Centralised compliance dashboard: Monitor the global security status of your entire fleet in real time. Filter results by severity (Critical, High, Medium, Low), scanner type or specific operating systems.
  • Pattern recognition: Identify recurring, systematic misconfigurations – for example, a faulty default image causing the same SSH vulnerability on dozens of systems.
  • Environment filters: Narrow down the view to immediately isolate vulnerabilities on systems in production environments.

Benchmark analysis over all devices and results

Figure: Benchmark analysis over all devices and results

Audit report in PDF format

Versio.io provides a flexible export function for internal audits, external auditors or management.

  • Documentation at the click of a button: Generate audit-proof PDF audit reports for a specific cut-off date or for freely definable time periods.
  • Tailored to the target audience: The report contains a concise management summary (key figures, trends, compliance level) as well as a detailed technical appendix listing specific non-conformities and their resolution status.
  • Evidence of compliance: Use the historical data to provide auditors with comprehensive evidence that vulnerabilities and policy breaches have been rectified not just on an ad hoc basis, but permanently and in accordance with established processes.

Integration of benchmarks into the ISMS and/or risk management

Compliance breaches are not isolated IT issues, but operational risks. Versio.io bridges the gap to overarching IT risk management.

  • Automated risk assessment: A failed benchmark test automatically assigns a higher overall risk rating if the affected asset is classified as ‘business-critical’ (e.g. a core service or a customer database) in the CMDB.
  • Alerting & Workflows: In the event of critical deviations on protected systems (e.g. Level 2 policies), automated notifications or tickets can be generated to ensure prompt resolution within defined SLAs.
  • Governance & Audit Readiness: The direct link between technical findings and business risk proactively documents effective risk management in line with standards such as ISO 27001, NIS2 or DORA.