FISMA - CSIS 20 Critical Controls

Page 1

FISMA compliance CSIS: 20 Critical Security Controls

Government information security has come under scrutiny in the past few years. With this in mind, FISMA requirements have been reviewed to make understanding compliance simpler. The 20 Critical Security Controls focuses on prevention, monitoring and detection; all of which are essential to cyber security.

The 20 requirements will help to ensure organisations know what to prioritise and also what to measure to allow consistent compliance throughout the year. By focusing on what’s important, government agencies can utilise their budget effectively.


20 Critical Controls CSIS: 20 Critical Security Controls Critical Control

Effect on Attack Mitigation

1.

Inventory of Authorised and unauthorised Very high Government devices information security has come under scrutiny in

few years. With thisand in mind, FISMA requirements 2.the past Inventory of Authorized Unauthorized Very high haveSoftware been reviewed to make understanding compliance 3.simpler. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

Very high

The 20 Critical Security Controls focuses on prevention, Continuous Vulnerability Assessment and Very high monitoring and detection; all of which are essential to cyber Remediation 5.security. Malware Defences High 4.

6.

Application Software Security

High

The 20 requirements will help to ensure organisationsHigh know Wireless Device Control what Data to prioritise and also what to measure to allow 8. Recovery Capability Moderately consistent compliance throughout the year. By focusing high toon high important, governmentand agencies can utiliseModerately their 9.what’s Security Skills Assessment Appropriate Training to Fill Gaps high to high budget effectively. 7.

10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Moderately high


11. Limitation and Control of Network Ports, Protocols, and Services

Moderately high

12. Controlled Use of Administrative Privileges

Moderate to Moderately CSIS: 20 Critical Security Controls High

13. Boundary Defence

Moderate

14. Maintenance, Monitoring, and Analysis of Security Audit Logs

Moderate

Government information security has come under scrutiny in 15. Controlled Access Based on the Need to Moderate the past few years. With this in mind, FISMA requirements Know have been reviewed to make understanding compliance 16. Account Monitoring and Control Moderate simpler. 17. Data Loss Prevention

Moderately Low to The 20 Critical Security Controls focuses on prevention, Moderate

monitoring detection; all of which are essentialModerately to cyber 18. Incidentand Response Capability Low to security. Moderate 19. Secure Network Engineering

Low

The 20 requirements will help to ensure organisations know 20. Penetration Tests and Red Team Exercises Low what to prioritise and also what to measure to allow consistent compliance throughout the year. focusing on Very high – actively targeted and exploited by allBy threats. High – known entry government point for targeted attacks. what’s important, agencies can utilise their Moderate – reduce attack surface, address known propagation budget effectively.

techniques, and/or mitigate impact. Low – optimising, validating, and/or effectively managing controls. For more information on applying the 20 Critical Controls, visit Sans.org


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.