Professional Documents
Culture Documents
Government information security has come under scrutiny in the past few years. With this in mind, FISMA requirements have been reviewed to make understanding compliance simpler. The 20 Critical Security Controls focuses on prevention, monitoring and detection; all of which are essential to cyber security.
The 20 requirements will help to ensure organisations know what to prioritise and also what to measure to allow consistent compliance throughout the year. By focusing on whats important, government agencies can utilise their budget effectively.
20 Critical Controls
CSIS: 20 Critical Security Controls
Critical Control Effect on Attack Mitigation
1.
the Inventory of Authorized in Unauthorized 2. past few years. With thisandmind, FISMA requirements Very high haveSoftware been reviewed to make understanding compliance
3. Secure Configurations for Hardware and simpler. Software on Laptops, Workstations, and Servers 4. Very high
Inventory of Authorised and unauthorised Very high Government information security has come under scrutiny in devices
The 20 Critical Security Controls focusesand prevention, high on Continuous Vulnerability Assessment Very monitoring and detection; all of which are essential to cyber Remediation security. 5. Malware Defences High
6. 7.
The 20 requirements will help to ensure organisationsHigh know Wireless Device Control what Data Recovery Capability to measure to allow to prioritise and also what 8. Moderately consistent compliance throughout the year. By focusing on high to high whats important, government agencies can utiliseModerately their 9. Security Skills Assessment and Appropriate Training to Fill high to high budget effectively. Gaps
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Moderately high
High
11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges
Moderately high
13. Boundary Defence 14. Maintenance, Monitoring, and Analysis of Security Audit Logs
Government information security has come under scrutiny in 15. Controlled Access Based on the Need to Moderate the past few years. With this in mind, FISMA requirements Know have been reviewed to make understanding compliance 16. Account Monitoring and Control Moderate simpler.
17. Data Loss Prevention
monitoring and detection; all of which are essential to cyber 18. Incident Response Capability Moderately Low to security. Moderate
19. Secure Network Engineering
The 20 requirements will help to ensure organisations know 20. Penetration Tests and Red Team Exercises Low what to prioritise and also what to measure to allow consistent compliance throughout the by all threats. Very high actively targeted and exploitedyear. By focusing on High known entry government agencies can utilise their whats important, point for targeted attacks. Moderate reduce attack surface, address known propagation budget effectively.
For more information on applying the 20 Critical Controls, visit Sans.org
Low
techniques, and/or mitigate impact. Low optimising, validating, and/or effectively managing controls.