Critical Security Controls (the Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks.
The Controls are a relatively short list of high-priority, highly effective defensive actions that, provides a "must-do, do-first" starting point for every enterprise seeking to improve their cyber defense.
An enterprise can use the Controls to rapidly define the starting point for their defenses, direct their scarce resources on actions with immediate and high-value payoff, and then focus their attention and resources on additional risk issues that are unique to their business or mission.
Assessment of risk for today's complex computing and network environments must be a continuous cycle of activity, not "events" that occur every 3 years. Concepts like "Continuous Monitoring" have become the way that we describe and think about security management.
The Controls provide a focus on the most important actions to be monitored because many of the controls include a primary emphasis on automation and continuous assessment.
Since the Controls were derived from the most common attack patterns and were vetted across a very broad community of government and industry, they serve as the basis for immediate high-value action
There are two primary requirements/components that must be in place:
1. The Information Security Management System contains 17 mandatory controls; and if these basic controls are not in place, the auditors will identify a major non-conformity. Without immediate remediation, this is sufficient reason to revoke certification.
2. There are an additional 133 controls listed within “Annex A” of the standard — the measurement against which the auditors evaluate us and upon which forms our control framework.
There can be various ways in which this can be done:
- Employees should undergo mandatory information security training post joining the organisation. This should also be done on yearly basis, and this can be either a classroom session followed by a quiz or an online training.
- Sending out notifications on regular basis in the form of slides, one pagers etc. to ensure that the employees are kept aware.
- In a situation where both Open source software and licensed software are available to get the job done. What should be preferred and why?
TIP: Think from a security perspective and not from the functionality point.
- For an enterprise, it is better to go for the licensed version of the software as most of the software have an agreement clause that the software should be used for individual usage and not for commercial purpose. Plus, the licensed version is updated and easy to track in an organisation. It also helps the clients develop a confidence on the organisations’ software and practices.