The SysAdmin, Audit, Network, Security (SANS) Institute is coordinating the development of technical measures and activities that help organizations build defences against cyber-attacks. The twenty agreed controls are:
- Inventory of authorised and unauthorised devices
- Inventory of authorized and unauthorized software
- Secure configurations for hardware and software on laptops, workstations, and servers
- Continuous vulnerability assessment and remediation
- Malware defenses
- Application software security
- Wireless device control
- Data recovery capability
- Security skills assessment and appropriate training to fill gaps
- Secure configurations for network devices such as firewalls, routers, and switches
- Limitation and control of network ports, protocols, and services
- Controlled use of administrative privileges
- Boundary defense
- Maintenance, monitoring, and analysis of security audit logs
- Controlled access based on the need to know
- Account monitoring and control
- Data loss prevention
- Incident response capability
- Secure network engineering
- Penetration tests and red team exercises
Read more – http://www.sans.org/critical-security-controls/
Read more – http://www.cpni.gov.uk/advice/infosec/Critical-controls/