The Center for Strategic & International Studies, a think tank founded in 1962 focused on strategic defense and security issues, published a consensus driven set of "Twenty Critical Controls for Effective Cyber Defense." While aimed at federal agencies, their recommendations are applicable to commercial enterprises as well. Fifteen of the twenty can be validated at least in part in an automated manner.
Also of note, the SANS' Top Cyber Security Risks report of September 2009 refers to this document as, "Best Practices in Mitigation and Control of The Top Risks."
Here are the twenty critical controls:
- Inventory of authorized and unauthorized devices
- Inventory of authorized and unauthorized software
- Secure configurations of hardware and software on laptops, workstations, and servers
- Secure configurations for network devices such as firewalls, routers, and switches
- Boundary defense
- Maintenance, monitoring, and analysis of Security Audit Logs
- Application software security
- Controlled use of administrative privileges
- Controlled access based on need to know
- Continuous vulnerability assessment and remediation
- Account monitoring and control
- Malware defenses
- Limitation and control of network ports, protocols, and services
- Wireless device control
- Data loss prevention
- Secure network engineering
- Penetration tests and red team exercises
- Incident response capability
- Data recovery capability
- Security skills assessment and appropriate training to fill gaps
I find this document compelling because of its breadth and brevity at only 49 pages. Furthermore, for each control it lays out "Quick Wins … that can help an organization rapidly improve its security stance generally without major procedural, architectural, or technical changes to its environment," and three successively more comprehensive categories of subcontrols.
