An important part of Cymbel’s approach to IT Security and Compliance leverages the SANS Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines (20CC). We have embraced 20CC for the following reasons:

• Comprehensiveness – All the major critical IT Security functions are covered.
• Credentials – The document was generated by a strong group of experienced security professionals from government and industry.
• Concreteness – The document provides very specific recommendations.
• Automation – Fifteen of the twenty controls are readily automated.
• Metrics – One or more simple, specific, measurable tests are provided to assess the effectiveness of each recommended control.
• Phases – Each of the twenty controls have sub-controls which can be implemented in phases. In fact, each control describes at least one “Quick Win.” This lessens the potentially overwhelming nature of other security models.
• Brevity – The current version of the document is only 58 pages as compared to other approaches which are spread over multiple books.
• Price – The document is free.

If there is any weakness to the 20CC, it’s the consensus nature of it. However, in our opinion this weakness is only reflected in its understandable unwillingness to recommend a solution that would inure to the benefit of a single manufacturer. This is particularly reflected in the “Boundary Defense” control which recommends stateful inspection firewalls and separate Intrusion Prevention Systems.

For boundary defense, Cymbel recommends the only next-generation firewall on the market – Palo Alto Networks. That’s not just us saying it. Gartner said it in its 2010 Enterprise Firewall Magic Quadrant.

I would love to hear your opinions on the SANS Twenty Critical Security Controls.