SecurityMetrics Audit for SANS Top 20 Critical Security Controls for Cyber Defense
Learn more about how your organization can fight cyberattacks.
Can your business withstand a cyberattack? How sure are you?With the SANS institute, the Center for Internet Security created a list of Top 20 critical security
controls to protect organizations from cyberattacks. SecurityMetrics has created a new audit based off these Top 20 Security Controls.
How does the audit work?
The audit assesses these particular critical security controls and how your business is implementing them. Once these controls are assessed, a SecurityMetrics auditor will then help your organization to improve your cyber security status.SEE ALSO: Top 5 Security Vulnerabilities Every Business Should Know
SANS Top 20 Critical Security Controls
Want to know about these top security controls? Here’s a quick list.
- CSC 1: Inventory of Authorized and Unauthorized Devices—Actively manage (all hardware devices on the network
- CSC 2: Inventory of Authorized and Unauthorized Software—Actively manage (inventory, track, and correct) all software on the network
- CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers—Establish, implement, and actively manage the security configuration of laptops, servers, and workstations
- CSC 4: Continuous Vulnerability Assessment and Remediation—Continuously acquire, assess, and take action on new information to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers
- CSC 5: Controlled Use of Administrative Privileges—The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications
- CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs—Collect, manage, and analyze audit logs of events to help detect, understand, or recover from an attack
- CSC 7: Email and Web Browser Protections—Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems
- CSC 8: Malware Defenses—Control the installation, spread, and execution of malicious code at multiple points in the enterprise
- CSC 9: Limitation and Control of Network Ports, Protocols, and Services—Manage the ongoing operational use of ports, protocols, and services on networked devices to minimize windows of vulnerability available to attackers
- CSC 10: Data Recovery Capability—The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
- CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches—Establish, implement, and actively manage the security configuration of network infrastructure devices
- CSC 12: Boundary Defense—Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data
- CSC 13: Data Protection—The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information
- CSC 14: Controlled Access Based on the Need to Know— The processes and tools used to track/control/prevent/correct secure access to critical assets based on which persons, computers, and applications have a need and right to access
- CSC 15: Wireless Access Control—The processes and tools used to track/control/ prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems
- CSC 16: Account Monitoring and Control—Actively manage the life cycle of system and application accounts to minimize opportunities for attackers to leverage them
- CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps—For all functional roles in the organization, identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs
- CSC 18: Application Software Security—Manage the security life cycle of all in-house developed and acquired software to prevent, detect, and correct security weaknesses
- CSC 19: Incident Response and Management—Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure plan
- CSC 20: Penetration Tests and Red Team Exercises—Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker