Levi, Ray & Shoup, Inc.

What are the 20 Critical Security Controls?

6/15/2017 by Greg Hetrick

Is your organization familiar with the Critical Security Controls, or CSC?

The SANS Institute originally created the 20 CSC by bringing together members of United States government and military cyber defense and offense teams as well as many high-level industry experts. The result of this collaboration facilitated by SANS was a fluid listing, in order of importance, of 20 controls that organizations need to use to maintain a high level of cyber security.

This list is not static; in fact, it is frequently reviewed and updated to ensure the controls are meeting the needs of the changing security landscape.

One of the biggest things I like about the CSC is that they map directly to many, if not all, of the compliance benchmarks. Those benchmarks include PCI, NIST 800-35, NIST Core, HIPAA, ISO, FISMA, ITIL, GCHQ, and others. By utilizing the CSC, organizations can ensure they are meeting the compliance standards that are required in their industry.

The 20 controls are:

  • CSC 1: Inventory of Authorized and Unauthorized Devices
  • CSC 2: Inventory of Authorized and Unauthorized Software
  • CSC 3: Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers
  • CSC 4: Continuous Vulnerability Assessment and Remediation
  • CSC 5: Controlled Use of Administrative Privileges
  • CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
  • CSC 7: Email and Web Browser Protections
  • CSC 8: Malware Defenses
  • CSC 9: Limitation and Control of Network Ports, Protocols, and Services
  • CSC 10: Data Recovery Capability
  • CSC 11: Secure Configurations for Network Devices such as Firewall Routers, and Switches
  • CSC 12: Boundary Defense
  • CSC 13: Data Protection
  • CSC 14: Controlled Access Based on the Need to Know
  • CSC 15: Wireless Access Control
  • CSC 16: Account Monitoring and Control
  • CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
  • CSC 18: Application Software Security
  • CSC 19: Incident Response and Management
  • CSC 20: Penetration Tests and Red Team Exercises

As I mentioned, these controls are listed in order of importance. The recommendation is that an organization get a good handle on CSC 1-4 before diving into more advanced controls like Penetration Testing at 20.

SANS recently handed over management of the controls to The Center for Internet Security, or CIS. They are now known as simply CIS Critical Security Controls. The current version of the CSC is version 6.0.

For more information, check out the CIS site: https://www.cisecurity.org/critical-controls.cfm

One of the SANS instructors who teaches classes on auditing against the CSC maintains a large number of resources to help organizations self-assess. One the most valuable resources is the spreadsheet that maps the CSC. http://www.auditscripts.com/free-resources/critical-security-controls/

In upcoming blog posts I will dig deeper into each of the controls and help provide guidance in how you can improve your organization’s security posture based on these controls. Watch this space!

About the author

Greg Hetrick is our Security Solutions Technical Advisor and Penetration Testing Lead, and he focuses on helping customers identify gaps and achieve security goals. Prior to joining LRS Greg held roles as a red and blue team leader in a large financial services company and a large academic medical research hospital. He holds multiple certifications in the area of Information Security including: CISSP, GISP, GPEN, GXPN, and CISSP