{"id":55,"date":"2017-01-19T23:37:09","date_gmt":"2017-01-19T23:37:09","guid":{"rendered":"https:\/\/hjinterim.wordpress.com\/?p=55"},"modified":"2017-01-19T23:37:09","modified_gmt":"2017-01-19T23:37:09","slug":"parsing-the-20-critical-security-controls","status":"publish","type":"post","link":"https:\/\/hjinterim.tech\/index.php\/2017\/01\/19\/parsing-the-20-critical-security-controls\/","title":{"rendered":"Parsing The 20 Critical Security Controls"},"content":{"rendered":"

\"d3a4febf87d1929fe6b3411042884151\"<\/p>\n

As a CISO you\u2019re faced with a fairly daunting challenge \u2013 ensure that everything you do for your enterprise is effective for your security and for your compliance.\u00a0The key word isn\u2019t security, and it\u2019s not compliance, it\u2019s\u00a0effective<\/em>.\u00a0How do you know what you\u2019re doing is effective when you\u2019re potentially faced with legal (SOX), regulatory (HIPAA), contractual (PCI), and internal (ISO) requirements?\u00a0What does effective really mean, anyway?\u00a0One might say that effective is maximizing value for the minimum possible resource expense.\u00a0If you\u2019re just getting started with your security program, or want to ensure that you\u2019re moving in the right direction, this post (and many that follow) is for you.<\/p>\n

Recently, the Center for Strategic and International Studies (CSIS) released version four of the 20 Critical Security Controls (hosted\u00a0here<\/a>\u00a0by SANS).\u00a0Rather than paraphrase how these 20 critical controls were determined, I\u2019ll quote:<\/p>\n

These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.<\/p>\n

The 20 critical controls (I\u2019ll call them the \u201cControls\u201d from here on out) talk about four tenets (again quoting from the source):<\/p>\n

    \n
  1. Offense informs defense:<\/strong>\u00a0Use knowledge of actual attacks that have compromised systems to provide the foundation to build effective defenses.<\/li>\n
  2. Metrics:<\/strong>\u00a0Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.<\/li>\n
  3. Continuous monitoring:<\/strong>\u00a0Carry out continuous monitoring\/auditing to test and validate whether current security measures are proactively remediating vulnerabilities in a timely manner.<\/li>\n
  4. Automation:<\/strong>\u00a0Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics.<\/li>\n<\/ol>\n

    Implementing the Controls, while terse when compared to the likes of NIST 800-53 and COBIT v5, will take you on an informational journey through your enterprise.\u00a0Using communication methods such as Entity Relationship Diagrams and putting each control into contexts such as \u201cquick wins,\u201d \u201cvisibility and attribution,\u201d \u201cimproved information security configuration and hygiene,\u201d and \u201cadvanced sub-controls\u201d really helps you plan for an iterative improvement process over time.\u00a0Additionally, there\u2019s nothing mandating that you cover each control in order.\u00a0In fact, it\u2019s quite reasonable to start out of order.\u00a0For example, the National Security Agency has a view of the Controls as represented in the Controls\u2019 2016 Poster (PDF<\/a>) \u2013 the following image was captured from that poster.<\/p>\n

    \"20-Critical-Controls-Poster-2013-1\"<\/div>\n

    NSA View of 20 Critical Controls<\/p>\n

    Because the Controls are broad and go deep, it would be folly to treat them all in a single post.\u00a0So, consider this post the first in a series that is \u201cParsing The 20 Critical Security Controls.\u201d\u00a0To that end, I intend to scour each control in order to identify the primary actors, identified processes and tools, and to call out detailed requirements your organization can then use as a checklist of sorts.\u00a0Then, we can have a discussion about how whether present categorization makes sense, identify gaps, and propose solutions (probably not for the light-hearted).<\/p>\n

    The only problem is that I\u2019m not sure in what order I should cover them.<\/p>\n

    This is where I could use your help \u2013 do you have a preference?<\/p>\n