You know, I really dig SANS for putting things together. On their page called Critical Security Controls for Effective Cyber Defense, they list the top 20 critical security controls.
I’m actually amazed at how quite a few companies do not place high emphasis on some of these. I worked for one company that thought security was ONLY having anti-virus.
Each of these security control links tell you why the control is critical, how to implement the control, procedures and tools, effectiveness metrics, automation metrics, effectiveness test, and diagraming it out for documentation of your implementation. It is nearly foolproof. That being said doesn’t mean every place has a budget for this. I was in a conference today where I heard that socializing the concept will allow for better adoption, which can be used with executive management to drive the point of securing funding for complete implementation and maintenance.
- 1: Inventory of Authorized and Unauthorized Devices
- 2: Inventory of Authorized and Unauthorized Software
- 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- 4: Continuous Vulnerability Assessment and Remediation
- 5: Malware Defenses
- 6: Application Software Security
- 7: Wireless Access Control
- 8: Data Recovery Capability
- 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- 11: Limitation and Control of Network Ports, Protocols, and Services
- 12: Controlled Use of Administrative Privileges
- 13: Boundary Defense
- 14: Maintenance, Monitoring, and Analysis of Audit Logs
- 15: Controlled Access Based on the Need to Know
- 16: Account Monitoring and Control
- 17: Data Protection
- 18: Incident Response and Management
- 19: Secure Network Engineering
- 20: Penetration Tests and Red Team Exercises