Today's top stories

The 5 CIS controls you should implement first

The CIS Critical Security Controls list (formerly the SANS Top 20 controls) has been the gold standard for security defense advice. These are the tasks you should do first.

Most companies do not properly evaluate computer security risk and end up with controls misaligned to their biggest risks. It’s the subject of my Data-Driven Computer Security Defense book. A lot of security pros know this, which is why after many of my talks on risk management, I’ll be asked which controls to implement from the SANS Top 20 Critical Controls list.

Most serious computer security professionals I know look forward to each SANS Top 20 update and the poster that comes with it. It contains very good computer security defense advice, but as with any action list, it’s impossible to perfectly do more than a few things at once. Following is advice on which controls to do first, but first let me provide a little history on the SANS list.

It’s now the CIS Controls

SANS turned over the Top 20 list to the Center for Internet Security (CIS) years ago, and it’s now called the CIS Critical Security Controls. The CIS is another highly respected, non-profit computer security organization that has been around decades. They are probably best known for publishing their operating system best practice security recommendations and benchmarks. If you want an independent, non-governmental entity’s recommendations for securing Microsoft Windows, CIS is where you go.

cis controls v7.1 matrix july 2019 Center for Internet Security

The CIS Critical Security Controls

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!