SANS 20 Critical Security Controls – Simplifying the security standard
Posted on November 18, 2013 by ashley
Josh Stone, Director of Product Management
New standards and compliance requirements are always coming out. But, once in a great while, one of these strikes a chord with the right industry representatives and gains immediate ascendancy among the various standards and best practices already available. One you may have heard a little about already is the SANS 20 Critical Security Controls. This is an excellent standard that should receive immediate attention in your organization. Why is that? I’ll present three reasons you should consider adopting the SANS 20 Critical Security Controls in your environment:
- A real-world perspective – many standards emanate from sources that emphasize the abstract, managerial, or strategic aspects of information security. While those are important, the SANS 20 Critical Security Controls standard takes a very hands-on approach, and builds in the “real-world” steps that you can take to really reduce your risk. Other standards still have their place, but if you want a list of 20 things on which you can take immediate action that will definitely reduce your risk, you need look no further.
- Regulator recognition – cprlorca has received significant feedback from a number of clients that industry regulatory examiners, external auditors, and other sources are asking about this standard more and more, over time. One explanation is the brevity of the standard; with 20 items to check for, and supported by an information security powerhouse like SANS, compliance is an achievable goal and effective audit and review is straightforward. It behooves you to review this standard before you hear about it in your next audit.
- Supplemental guidance – SANS has built this standard with the recognition that no one will have all 20 controls operating at maximum effectiveness. Everyone will need to work on something. One way they’ve made things easier is by documenting a large body of supplemental information for each of the 20 controls. You can find advice for “quick wins” all the way through measuring and monitoring at a maximum implementation level for each one. We have found that the materials provided with the 20 controls is often more valuable than the control list itself.
Will the 20 Critical Controls guarantee that you’re secure, and that you can’t be hacked? No – information security is always an arms race, and there’ll always be a way in. But, this new standard gives you an actionable framework to dramatically reduce your risk in an achievable, step-by-step manner. Check out the standard for free at http://www.sans.org/critical-security-controls/.
Posted in IT Compliance and Regulatory Change Management, IT Risk Management and Risk Assessments