Information security is complex to say the least. It can feel overwhelming for security professionals as we get our heads around all of the issues and approaches to protecting data. Many of the frameworks out there (NIST, ISO, COBIT/COSO, etc.) may help as part of a long term strategic approach, but they don’t make life much easier in the short term. It’s often a six month project just to figure out what they’re talking about.
The SANS Institute has developed a “Top 20” to address this challenge. The idea was to define the 20 most critical controls so that organizations can focus their efforts on 20 things that can have real impact for info-security in a short time frame. They are a subset of the overall information security picture and they’re intended to be free of FUD, vendor-speak, and specific solution approaches.
Of the SANS Top 20 Security Controls, Dan Mintz, former CIO at the US Dept of Transportation, commented:
“What excites me is this approach allows often resource-constrained organizations to both focus on the most critical priorities and to implement solutions that are both practical and important.”
The controls cover a wide variety of topics from perimeter defense to account monitoring and data loss prevention. STEALTHbits’ flexible StealthAUDIT platform addresses many of the control areas in the SANS Top 20 with a single install. We recently produced a short document outlining our ability to respond to the 20 controls painting a broad picture of where we fit and where we don’t.
For more information on the SANS Top 20 Critical Security Controls, please visit the SANS website.