20 critical security controls your organization should focus on

 

The 20 critical security controls identified in the Consensus Audit Guidelines represent the highest-priority defenses that enterprises should focus on, based on the likelihood of real-world attacks. The categories, which are not presented in order of priority, are broken down into those that can be validated at least in part in an automated manner and those that involve manual validation.

Critical controls subject to automated collection, measurement and validation:

1. Inventory of authorized and unauthorized devices.
2. Inventory of authorized and unauthorized software.
3. Secure configurations for hardware and software on laptop PCs, workstations and servers.
4. Secure configurations for network devices such as firewalls, routers and switches.
5. Boundary defense.
6. Maintenance, monitoring and analysis of security audit logs.
7. Application software security.
8. Controlled use of administrative privileges.
9. Controlled access based on need to know.
10. Continuous vulnerability assessment and remediation.
11. Account monitoring and control.
12. Malware defenses.
13. Limitation and control of network ports, protocols and services.
14. Wireless device control.
15. Data loss prevention.

Additional critical controls, not directly supported by automated measurement and validation:

16. Secure network engineering.
17. Penetration tests and red-team exercises.
18. Incident response capability.
19. Data recovery capability.
20. Security skills assessment and appropriate training to fill gaps.

About the Author

John Moore is a freelance writer based in Syracuse, N.Y.

Featured

  • Workforce
    online collaboration (elenabsl/Shutterstock.com)

    Federal employee job satisfaction climbed during pandemic

    The survey documents the rapid change to teleworking postures in government under the COVID-19 pandemic.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

Stay Connected