Tuesday, July 29, 2014

CPNI 20 Critical Security Controls

Extremely well done. These are published by the UK Centre for the Protection of National Infrastructure (CPNI).

Overview: http://www.cpni.gov.uk/advice/cyber/Critical-controls
Direct: http://www.cpni.gov.uk/documents/publications/2014/2014-04-11-critical-security-controls.pdf

Article Summary
The Critical Security Controls for cyber defence are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. CPNI is participating in an international government-industry effort to promote the Critical Security Controls for computer and network security. The development of these controls is being coordinated by the Council on CyberSecurity website.

Critical Security Controls guidance
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software 
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 
CSC 4: Continuous Vulnerability Assessment and Remediation 
CSC 5: Malware Defenses 
CSC 6: Application Software Security
CSC 7: Wireless Access Control
CSC 8: Data Recovery Capability
CSC 9: Security Skills Assessment and Appropriate Training to Fill Gaps 
CSC 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 
CSC 11: Limitation and Control of Network Ports, Protocols, and Services 
CSC 12: Controlled Use of Administrative Privileges 
CSC 13: Boundary Defense
CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs 
CSC 15: Controlled Access Based on the Need to Know
CSC 16: Account Monitoring and Control 
CSC 17: Data Protection 
CSC 18: Incident Response and Management 
CSC 19: Secure Network Engineering
CSC 20: Penetration Tests and Red Team Exercises

Also found this while researching new information for a class. Session title is When Controls Fail.