In the IT security world, policies and controls are king

The SANS Institute's 20 Critical Security Controls document can help admins improve their organization's security defenses

1 2 Page 2
Page 2 of 2

Here's the summary list:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  5. Boundary Defense
  6. Maintenance, Monitoring, and Analysis of Security Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based on the Need to Know
  10. Continuous Vulnerability Assessment and Remediation
  11. Account Monitoring and Control
  12. Malware Defenses
  13. Limitation and Control of Network Ports, Protocols, and Services
  14. Wireless Device Control
  15. Data Loss Prevention
  16. Secure Network Engineering
  17. Penetration Tests and Red Team Exercises
  18. Incident Response Capability
  19. Data Recovery Capability
  20. Security Skills Assessment and Appropriate Training to Fill Gaps

I encourage those interested to read the large PDF version of the document.

Also, I recommend that anyone running the security defenses at an IT shop take a look at the control recommendations and note where his or her organization's policies, procedures, and implementations have gaps.

The list is not ranked in order by priority. You would first have to determine what your organization's risk are, decide what is not being optimally addressed, and then go about fixing the gaps. For instance, in most companies the biggest risk leading to the most compromises is end-users installing things that they shouldn't, such as malware. Controls under the umbrellas of Malware Defenses and Controlled User of Administrative Privileges are the ones most likely to appropriately address those related problems. When you have end-users installing fake antivirus programs, boundary defenses, and more, secure network engineering isn't going to get you a lot of bang for your buck.

I especially like that the controls include inventories. I'm surprised by how many IT shops have no idea what software and hardware is used within their environment, especially the unmanaged components. The only other inventory item I would add is data inventory. All the controls we are mentioning are to manage the data, and you can't implement the Data Loss Prevention control if you don't know where the data is.

Again, I encourage computer security defenders to download and review the bigger document. You will improve your ideas -- you won't be able to help it.

This story, "In the IT security world, policies and controls are king," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at For the latest business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
How to choose a SIEM solution: 11 key features and considerations