- June 10, 2014
- Posted by: Jake McAleer, CISA, CCNA
- Category: IT Audit & Security
Information Security – Where Do I Start?
Computer security has been a topic of discussion for years. As more and more systems come online that store and process sensitive data, the risk level and complexity only increase. The stress can be very overwhelming for an organization when trying to understand information security areas, including:
- Where are the risks to an organization?
- What is the likelihood of each risk?
- Who would (or could) help understand and mitigate those risks?
- How to prioritize those risks?
- Who owns the risks and efforts to reduce them?
Areas of Focus
Many times, organizations know they face numerous information security risks, but either don’t know where to start or simply don’t have the time and/or resources to try and address them. These challenges face organizations large and small, including the United States government. In 2008, the Department of Defense began work on outlining the top critical security risks, and then subsequent controls that should exist to help limit them. Through collaborative work across various governmental, public, and private organizations (including the U.S. Department of Homeland Security, U.S. Department of State, Office of the CISO, MITRE Corporation, and the SANS Institute), a list of the top 20 critical security controls (CSCs) were agreed upon and outlined.
As explained on the SANS website, the goal of the Critical Controls is “to protect critical assets, infrastructure, and information by strengthening your organization’s defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.”
The control areas are:
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Critical Control 4: Continuous Vulnerability Assessment and Remediation
- Critical Control 5: Malware Defenses
- Critical Control 6: Application Software Security
- Critical Control 7: Wireless Device Control
- Critical Control 8: Data Recovery Capability
- Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
- Critical Control 12: Controlled Use of Administrative Privileges
- Critical Control 13: Boundary Defense
- Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
- Critical Control 15: Controlled Access Based on the Need to Know
- Critical Control 16: Account Monitoring and Control
- Critical Control 17: Data Loss Prevention
- Critical Control 18: Incident Response and Management
- Critical Control 19: Secure Network Engineering
- Critical Control 20: Penetration Tests and Red Team Exercises
Why This Framework?
There are many security frameworks available today, so why chose this one? The SANS Top 20 Critical Security Controls are:
- Clearly defined and understandable for both technical and non-technical personnel
- Designed to be applicable to any business
- Are well known and utilized across numerous industries
- An actively maintained framework that is updated as technologies change
- Freely available for any organization to use
- Many resources are available on the Internet and from various vendors
Many other frameworks are designed for specific industries, are proprietary, and expensive to obtain and maintain, or are not actively being maintained.
Want help evaluating how your organization is doing against these industry standards from an organization with over 15 years of IT Audit and Security experience? Visit IT Audit Division website to learn more about how we can help.