FISMA compliance CSIS: 20 Critical Security Controls
Government information security has come under scrutiny in the past few years. With this in mind, FISMA requirements have been reviewed to make understanding compliance simpler. The 20 Critical Security Controls focuses on prevention, monitoring and detection; all of which are essential to cyber security.
The 20 requirements will help to ensure organisations know what to prioritise and also what to measure to allow consistent compliance throughout the year. By focusing on what’s important, government agencies can utilise their budget effectively.
20 Critical Controls CSIS: 20 Critical Security Controls Critical Control
Effect on Attack Mitigation
1.
Inventory of Authorised and unauthorised Very high Government devices information security has come under scrutiny in
few years. With thisand in mind, FISMA requirements 2.the past Inventory of Authorized Unauthorized Very high haveSoftware been reviewed to make understanding compliance 3.simpler. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Very high
The 20 Critical Security Controls focuses on prevention, Continuous Vulnerability Assessment and Very high monitoring and detection; all of which are essential to cyber Remediation 5.security. Malware Defences High 4.
6.
Application Software Security
High
The 20 requirements will help to ensure organisationsHigh know Wireless Device Control what Data to prioritise and also what to measure to allow 8. Recovery Capability Moderately consistent compliance throughout the year. By focusing high toon high important, governmentand agencies can utiliseModerately their 9.what’s Security Skills Assessment Appropriate Training to Fill Gaps high to high budget effectively. 7.
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Moderately high
11. Limitation and Control of Network Ports, Protocols, and Services
Moderately high
12. Controlled Use of Administrative Privileges
Moderate to Moderately CSIS: 20 Critical Security Controls High
13. Boundary Defence
Moderate
14. Maintenance, Monitoring, and Analysis of Security Audit Logs
Moderate
Government information security has come under scrutiny in 15. Controlled Access Based on the Need to Moderate the past few years. With this in mind, FISMA requirements Know have been reviewed to make understanding compliance 16. Account Monitoring and Control Moderate simpler. 17. Data Loss Prevention
Moderately Low to The 20 Critical Security Controls focuses on prevention, Moderate
monitoring detection; all of which are essentialModerately to cyber 18. Incidentand Response Capability Low to security. Moderate 19. Secure Network Engineering
Low
The 20 requirements will help to ensure organisations know 20. Penetration Tests and Red Team Exercises Low what to prioritise and also what to measure to allow consistent compliance throughout the year. focusing on Very high – actively targeted and exploited by allBy threats. High – known entry government point for targeted attacks. what’s important, agencies can utilise their Moderate – reduce attack surface, address known propagation budget effectively.
techniques, and/or mitigate impact. Low – optimising, validating, and/or effectively managing controls. For more information on applying the 20 Critical Controls, visit Sans.org