20 Critical Security Controls (20 CSC)
SANS combined government-derived information security and real-life attacks in businesses of all sizes to inform appropriate defense. This created SANS original list of 10, which later became 20 critical security controls. These 20 Critical security controls are becoming more important everyday. Using these 20 CSC’s will make your organization less at risk than they were prior to use.
The 20 CSC are founded around these 7 core principles:
- Controls must address current attacks, emerging technologies, and the changing mission and business requirements for IT.
- Focus must be given to key topics within and highly impactful throughout the lifecycle of information protection.
- The controls must easily align to other related frameworks, such as the provided by NIST.
- Each sub-control is a single implementable action or activity. One and only one per sub-control.
- These controls must, will, rapidly grow and change within the security ecosystem.
- The controls must be relevant and adapt to organizations of various sizes and configurations.
- The controls are directly influenced by real-life attacks experienced by a global volunteer working group.
The 20 CSCs were formed by taking experiences of the attackers and the attacked to gain insight on appropriate defense.
The basic (CIS Controls 1-6) provide essential – fundamental – cyber defense and should be implemented in every organization.
- If the basic 6 are implemented, your organization is already 85% less at risk than a company failing to utilize them.
- Foundational (CIS Controls 7-16) provide the technical best practices which provide clear security benefits.
- Organization (CIS Controls 17-20) focus more on people and processes involved than CIS controls 1-16.
The 20 CSCs are the structure of CIT’s cyber-security. For more information on these CSCs contact CIT we are here to help. Check more detailed blogs on CIT’s blog page.