20 critical security controls your organization should focus on

 

The 20 critical security controls identified in the Consensus Audit Guidelines represent the highest-priority defenses that enterprises should focus on, based on the likelihood of real-world attacks. The categories, which are not presented in order of priority, are broken down into those that can be validated at least in part in an automated manner and those that involve manual validation.

Critical controls subject to automated collection, measurement and validation:

1. Inventory of authorized and unauthorized devices.
2. Inventory of authorized and unauthorized software.
3. Secure configurations for hardware and software on laptop PCs, workstations and servers.
4. Secure configurations for network devices such as firewalls, routers and switches.
5. Boundary defense.
6. Maintenance, monitoring and analysis of security audit logs.
7. Application software security.
8. Controlled use of administrative privileges.
9. Controlled access based on need to know.
10. Continuous vulnerability assessment and remediation.
11. Account monitoring and control.
12. Malware defenses.
13. Limitation and control of network ports, protocols and services.
14. Wireless device control.
15. Data loss prevention.

Additional critical controls, not directly supported by automated measurement and validation:

16. Secure network engineering.
17. Penetration tests and red-team exercises.
18. Incident response capability.
19. Data recovery capability.
20. Security skills assessment and appropriate training to fill gaps.

About the Author

John Moore is a freelance writer based in Syracuse, N.Y.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.