Critical Security Controls (CSC) are baseline of information security measures and controls agreed by US federal CIOs and CISOs based on the tenet – “offensive must inform defense”. These measure and controls should be continuously monitored through automated mechanisms. Even though the primary reason to develop this framework is to address US federal organizations, it can be adopted by both commercial and non-commercial institutions to secure their environment.
It identifies 20 crucial controls that can be used to prepare the roadmap in securing an enterprise. Each controls are provided with sub-controls grouped into Quick Wins (QW), Improved Visibility and Attribution (Vis/Attrib), Hardened Configuration and Improved Information Security Hygiene (Config/Hygiene) and Advanced (Advanced) that help in the preparation of the roadmap.
Critical Controls Subject to Automated Collection, Measurement, and Validation:
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5. Boundary Defense
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based on Need to Know
10. Continuous Vulnerability Assessment and Remediation
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and Services
14. Wireless Device Control
15. Data Loss Prevention
Additional Critical Controls (not directly supported by automated measurement and validation):
16. Secure Network Engineering
17. Penetration Tests and Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Appropriate Training to Fill Gaps
The first fifteen of the above list can be monitored automatically and continuously; according to the document. The controls not only block the initial compromise of system, but also address detecting already-compromised ones and to prevent or disrupt an attacker’s session. It recommends periodic and continual testing of controls to protect IT systems as well personally identifiable information.
It would help if a spreadsheet is prepared to identify QW, Vis/Attrib, Config/Hygiene and Advanced for each control. The spreadsheet will help to prioritize the controls for the roadmap.
CSC is available at http://sans.org/cag/