No matter what industry you are in, conducting a thorough IT Risk Assessment is critical to your organization for a number of reasons. First, it gives you a point in time measurement of how your IT Security posture compares to either various regulations or IT Security Frameworks. Second, it gives you the opportunity to assess your organization, to include people, processes, and technology, to identify areas of weakness and strategies to mitigate any risks associated with those weaknesses. Third, an IT Risk Assessment gives you insight to your organization, the data that it possesses, and how that data traverses your network.
There are many different Federal, State, and Industry Regulations that guide these risk assessments and the evaluation of what controls an organization has in place. However, we are seeing more and more companies start to incorporate the SANS Top 20 Critical Security Controls (CSC) into their IT Risk Assessment methodology. Over the next several blog posts, we are going to take a handful of the Top 20 and break them down to discuss what they are and why they are important. First, we need to understand a little about the SANS Top 20, what they are, and how they were developed.
What are the SANS Top 20 CSC's? - The SANS Top 20 Critical Security Controls are a set of actions, based on best practices, that are designed to prevent and discourage the most common and most dangerous cyberattacks.
Where did the SANS Top 20 CSC's come from? - The SANS Top 20 have been developed and revised by some of the leading professionals in the field of cybersecurity. Some of the organizations that have had a hand in developing these Critical Security Controls include the NSA, Law Enforcement, US Dept. of Energy, and leading forensic and incident response organizations.
What makes the SANS Top 20 CSC's so valuable? - In the world of Information Security, there are mountains of actions and suggested actions that are created on an almost daily basis. The SANS Top 20 takes the most well known threats that exist to an organization and transforms it into actionable guidance to improve an organizations security posture. Also, they are constantly evaluated and updated based on the latest threats that exist according to some of the world leaders in the realm of cybersecurity. The latest version, version 6.0, was released in October of 2015.
Over the coming weeks we are going to dig into each of the controls a handful at a time to share some insight and information around each control and explain these controls in a little better detail but until we do that, below is a complete list of all of the SANS Top 20 Critical Security Controls:
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7: Email and Web Browsing Protections
CSC 8: Malware Defenses
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 10: Data Recovery Capability
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12: Boundary Defense
CSC 13: Data Protection
CSC 14: Controlled Access Based on the Need to Know
CSC 15: Wireless Access Control
CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18: Application Software Security
CSC 19: Incident Response and Management
CSC 20: Penetration Tests and Red Team Exercises
There is the complete list of the Top 20 Critical Security Controls. For more information on Compass IT Compliance and our IT Risk Assessment services, feel free to contact us with any questions that you have!