I have been working recently with the Centre for the Protection of National Infrastructure’s (CPNI) 20 Critical Security Controls for Cyber Defence.
The following text is taken from the CPNI website here: http://www.cpni.gov.uk/advice/cyber/Critical-controls/
The 20 controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks. Outside of the technical realm, a comprehensive security program should also take into account many other areas of security, including overall policy, organisational structure, personnel issues and physical security. To help maintain focus, the 20 controls do not deal with these important but non-technical aspects of information security.
The 20 controls and supporting advice are dynamic in order that they recognise changing technology and methods of attack.
- Critical control 1 – Inventory of authorised and unauthorised devices
- Critical control 2 – Inventory of authorised and unauthorised software
- Critical control 3 – Secure configurations for hardware and software
- Critical control 4 – Continuous vulnerability assessment and remediation
- Critical control 5 – Malware defences
- Critical control 6 – Application software security
- Critical control 7 – Wireless device control
- Critical control 8 – Data recovery capability
- Critical control 9 – Security skills assessment and appropriate training to fill gaps
- Critical control 10 – Secure configurations for network devices
- Critical control 11 – Limitation and control of network ports, protocols, and services
- Critical control 12 – Controlled use of administrative privileges
- Critical control 13 – Boundary defence
- Critical control 14 – Maintenance, monitoring, and analysis of security audit logs
- Critical control 15 – Controlled access based on the need-to-know
- Critical control 16 – Account monitoring and control
- Critical control 17 – Data loss prevention
- Critical control 18 – Incident response capability
- Critical control 19 – Secure network engineering
- Critical control 20 – Penetration tests and red team exercises