SANS - Implementing the Critical Security Controls

Since the SANS Institute hosted the first version of the Critical Security Controls (CSC) in 2008, the controls have been upgraded four times to meet demands of an evolving threat and vulnerability landscape. During that time, the Department of Homeland Security essentially made the CSCs a de facto standard to be followed by its branches. Canadian and other international authorities are also using these controls as guidelines to support their own cyber security policies, and so, too, are private-sector organizations with the most to lose, such as those in the infrastructure and financial fields.

This paper serves as a how-to for organizations in various stages of implementing the controls and offers two real-world examples of CSC adoption. The case studies are based on real-time interviews with the people behind the efforts and includes the security environments before the implementation, the challenges experienced in adopting the controls and the benefits they’ve experienced.