IT Risk Assessments and the SANS Top 20

No matter what industry you are in, conducting a thorough IT Risk Assessment is critical to your organization for a number of reasons. First, it gives you a point in time measurement of how your IT Security posture compares to either various regulations or IT Security Frameworks. Second, it gives you the opportunity to assess your organization, to include people, processes, and technology, to identify areas of weakness and strategies to mitigate any risks associated with those weaknesses. Third, an IT Risk Assessment gives you insight to your organization, the data that it possesses, and how that data traverses your network. 

There are many different Federal, State, and Industry Regulations that guide these risk assessments and the evaluation of what controls an organization has in place. However, we are seeing more and more companies start to incorporate the SANS Top 20 Critical Security Controls (CSC) into their IT Risk Assessment methodology. Over the next several blog posts, we are going to take a handful of the Top 20 and break them down to discuss what they are and why they are important. First, we need to understand a little about the SANS Top 20, what they are, and how they were developed.

• What are the SANS Top 20 CSC's? - The SANS Top 20 Critical Security Controls are a set of actions, based on best practices, that are designed to prevent and discourage the most common and most dangerous cyberattacks.
• Where did the SANS Top 20 CSC's come from? - The SANS Top 20 have been developed and revised by some of the leading professionals in the field of cybersecurity. Some of the organizations that have had a hand in developing these Critical Security Controls include the NSA, Law Enforcement, US Dept. of Energy, and leading forensic and incident response organizations.
• What makes the SANS Top 20 CSC's so valuable? - In the world of Information Security, there are mountains of actions and suggested actions that are created on an almost daily basis. The SANS Top 20 takes the most well known threats that exist to an organization and transforms it into actionable guidance to improve an organizations security posture. Also, they are constantly evaluated and updated based on the latest threats that exist according to some of the world leaders in the realm of cybersecurity. The latest version, version 6.0, was released in October of 2015.

Over the coming weeks we are going to dig into each of the controls a handful at a time to share some insight and information around each control and explain these controls in a little better detail but until we do that, below is a complete list of all of the SANS Top 20 Critical Security Controls:

• CSC 1: Inventory of Authorized and Unauthorized Devices
• CSC 2: Inventory of Authorized and Unauthorized Software
• CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• CSC 4: Continuous Vulnerability Assessment and Remediation
• CSC 5: Controlled Use of Administrative Privileges
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
• CSC 7: Email and Web Browsing Protections
• CSC 8: Malware Defenses
• CSC 9: Limitation and Control of Network Ports, Protocols, and Services
• CSC 10: Data Recovery Capability
• CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• CSC 12: Boundary Defense
• CSC 13: Data Protection
• CSC 14: Controlled Access Based on the Need to Know
• CSC 15: Wireless Access Control
• CSC 16: Account Monitoring and Control
• CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
• CSC 18: Application Software Security
• CSC 19: Incident Response and Management
• CSC 20: Penetration Tests and Red Team Exercises

There is the complete list of the Top 20 Critical Security Controls. For more information on Compass IT Compliance and our IT Risk Assessment services, feel free to contact us with any questions that you have!