As a CISO you’re faced with a fairly daunting challenge – ensure that everything you do for your enterprise is effective for your security and for your compliance. The key word isn’t security, and it’s not compliance, it’s effective. How do you know what you’re doing is effective when you’re potentially faced with legal (SOX), regulatory (HIPAA), contractual (PCI), and internal (ISO) requirements? What does effective really mean, anyway? One might say that effective is maximizing value for the minimum possible resource expense. If you’re just getting started with your security program, or want to ensure that you’re moving in the right direction, this post (and many that follow) is for you.
Recently, the Center for Strategic and International Studies (CSIS) released version four of the 20 Critical Security Controls (hosted here by SANS). Rather than paraphrase how these 20 critical controls were determined, I’ll quote:
These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.
The 20 critical controls (I’ll call them the “Controls” from here on out) talk about four tenets (again quoting from the source):
- Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to build effective defenses.
- Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
- Continuous monitoring: Carry out continuous monitoring/auditing to test and validate whether current security measures are proactively remediating vulnerabilities in a timely manner.
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics.
Implementing the Controls, while terse when compared to the likes of NIST 800-53 and COBIT v5, will take you on an informational journey through your enterprise. Using communication methods such as Entity Relationship Diagrams and putting each control into contexts such as “quick wins,” “visibility and attribution,” “improved information security configuration and hygiene,” and “advanced sub-controls” really helps you plan for an iterative improvement process over time. Additionally, there’s nothing mandating that you cover each control in order. In fact, it’s quite reasonable to start out of order. For example, the National Security Agency has a view of the Controls as represented in the Controls’ 2012 Winter Poster (PDF) – the following image was captured from that poster.
Because the Controls are broad and go deep, it would be folly to treat them all in a single post. So, consider this post the first in a series that is “Parsing The 20 Critical Security Controls.” To that end, I intend to scour each control in order to identify the primary actors, identified processes and tools, and to call out detailed requirements your organization can then use as a checklist of sorts. Then, we can have a discussion about how whether present categorization makes sense, identify gaps, and propose solutions (probably not for the light-hearted).
The only problem is that I’m not sure in what order I should cover them.
This is where I could use your help – do you have a preference?
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Critical Control 4: Continuous Vulnerability Assessment and Remediation
- Critical Control 5: Malware Defenses
- Critical Control 6: Application Software Security
- Critical Control 7: Wireless Device Control
- Critical Control 8: Data Recovery Capability
- Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Critical Control 11: Limitation and Control for Network Ports, Protocols, and Services
- Critical Control 12: Controlled Use of Administrative Privileges
- Critical Control 13: Boundary Defense
- Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
- Critical Control 15: Controlled Access Based on the Need to Know
- Critical Control 16: Account Monitoring and Control
- Critical Control 17: Data Loss Prevention
- Critical Control 18: Incident Response and Management
- Critical Control 19: Secure Network Engineering
- Critical Control 20: Penetration Tests and Red Team Exercises
Sound off on what order you’d prefer to see the Controls covered, and I’ll listen.
Robot image courtesy of Shutterstock
Editor’s Note: This article was written by a former contributor to The State of Security who now resides with a non-profit group with an excellent reputation. We thank him for his opinions and perspective, and wish we could acknowledge him directly for his outstanding efforts on this series.