20 Critical Security Controls
- Inventory of authorized and unauthorized devices
- Inventory of authorized and unauthorized software
- Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
- Continuous vulnerability assessment and remediation
- Malware defenses
- Application software security
- Wireless device control
- Data recovery capability
- Security skills assessment and appropriate training to fill gaps
- Secure configurations for network devices such as firewalls, routers, and switches
- Limitation and control of network ports, protocols, and services
- Controlled use of administrative privileges
- Boundary defense
- Maintenance, monitoring, and analysis of audit logs
- Controlled access based on the need to know
- Account monitoring and control
- Data loss prevention
- Incident response and management
- Secure network engineering
- Penetration tests and red team exercises
“In the large enterprises it’s going to take people a year or two to implement a plan” based on the controls, Gula said. “I think it’s in a good place.”
Government, which made up the largest segment of the respondents to the survey, with about 20 percent of the total, probably leads the private sector in using the controls, Gula said. Overall, his company’s government customers are ahead of the curve in adopting standardized, centralized security monitoring and auditing programs, which he said is a key part of defending IT systems. “If you are trying to keep the bad guys out, if you can’t manage that centrally you’re not going to be able to keep them out.”
Agencies’ willingness to use the controls list is not surprising, as they initially were conceived as a framework to shore up federal IT security. The surprise is the degree to which they are being adopted by the private sector as well.
The online survey of 699 security professionals was conducted earlier this year by the SANS Institute, one of the organizations involved in developing the list.
The Critical Security Controls were developed to help make work originally done by the National Security Agency available to civilian agencies and non-government organizations. NSA participated in the effort to take the information public, which was led by SANS, the Center for Internet Security and the Center for Strategic and International Studies. The original list was published in 2009 and has been updated periodically since then.
The goal of the list is to prioritize actions to improve enterprise security posture through a threat-focused approach rather than focusing on regulatory compliance. It offers a lens for focusing activity on areas of highest payback by concentrating on what threats are actually used to exploit security weaknesses.