Menu
Menu
SANS: 20 critical security controls you need to add

SANS: 20 critical security controls you need to add

A list of the controls you need plus how to implement them

Prioritizing security measures is the first step toward accomplishing them, and the SANS Institute has created a list of the top 20 critical security controls businesses should implement.

They include some obvious steps, such as getting a comprehensive inventory of all network devices and software, implementing secure hardware configurations and providing for data recovery, but also gets into areas that are less evident.

+More on Network World: Gartner: IT should simplify security to fight inescapable hackers+

Some of these items can be costly and include regularly scheduled assessments – penetration testing and red-team assessments, for example - so they require funding through annual security operating budgets.

Even if an organization can’t handle all 20, it’s a good list to include in a comprehensive set of goals that gets updated periodically as the threat landscape changes.

SANS offers a course on this, but here’s the list with links to recommended implementation steps:

1: Inventory of Authorized and Unauthorized Devices

2: Inventory of Authorized and Unauthorized Software

3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

4: Continuous Vulnerability Assessment and Remediation

5: Malware Defenses

6: Application Software Security

7: Wireless Access Control

8: Data Recovery Capability

9: Security Skills Assessment and Appropriate Training to Fill Gaps

10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

11: Limitation and Control of Network Ports, Protocols, and Services

12: Controlled Use of Administrative Privileges

13: Boundary Defense

14: Maintenance, Monitoring, and Analysis of Audit Logs

15: Controlled Access Based on the Need to Know

16: Account Monitoring and Control

17: Data Protection

18: Incident Response and Management

19: Secure Network Engineering

20: Penetration Tests and Red Team Exercises

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the CIO newsletter!

Error: Please check your email address.

More about GartnerSANS Institute

Show Comments

Market Place

Computerworld
ARN
Techworld
CMO