SANS Analyst Program: Implementing the Critical Security Controls

May 14, 2013

Since the SANS Institute hosted the first version of the Critical Security Controls (CSC) in 2008, the controls have been upgraded four times to meet demands of an evolving threat and vulnerability landscape. During that time, the Department of Homeland Security essentially made the CSCs a de facto standard to be followed by its branches. Canadian and other international authorities are also using these controls as guidelines to support their own cybersecurity policies, and so, too, are private-sector organizations with the most to lose, such as those in the infrastructure and financial fields.

Over time, the guidance in the CSCs has evolved to add detailed information on metrics for measuring effectiveness, implementation, automation and control test procedures, as well as “quick wins” suggestions. Through this guidance, organizations can begin to implement the controls in a way that illuminates their areas of vulnerability and ultimately improves their risk ratings, while making their networks more resilient to attacks.