Site icon

What are the 20 Critical Controls?, (Mon, Oct 3rd)

[the following is a guest diary contributed by Dr. Eric Cole]

One of the questions I often receive is what are the twenty critical controls.  Details can be found at www.sans.org/cag but the general approach of the controls is to begin the process of establishing the prioritized baseline of information security measures and controls that will lead to effective security. The consensus effort that has produced the controls have identified 20 specific technical security controls that are viewed as effective at defending against the most common methods of attack. Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that are more difficult to be monitored continuously or automatically with current technology and practices; however they are critical to achieving an optimal level of security. Each of the 20 control areas includes multiple individual sub-controls, each specifying actions an organization can take to help improve its Defences.

Additionally, the controls are designed to support agencies and organizations that currently have different levels of information security capabilities.  To help organizations focus on achieving a sound baseline of security and then improve beyond that baseline, certain subcontrols have been categorized as follows:

—————-
Dr. Eric Cole
twitter: drericcole
école .at. secure-anchor.com

 

Article source: http://isc.sans.edu/diary.html?storyid=11719&rss

View full post on National Cyber Security

Exit mobile version