The Critical Controls are specific guidelines that CISOs, CIOs, IGs, and various computer emergency response teams can provide to their technical system administration and information security personnel to ensure that their systems have the most critical baseline controls in place. To help organizations with different levels of information security capabilities design a sound security baseline and then improve beyond that, the sub-controls included in each of the Critical Control summaries specify actions that organizations can take to improve their defenses:
- Quick wins on fundamental aspects of information security to help an organization rapidly improve its security stance without major procedural, architectural, or technical changes to its environment.
- Visibility and attribution measures to improve the process, architecture, and technical capabilities of organizations to monitor their networks and computer systems to detect attack attempts, locate points of entry, identify already-compromised machines, interrupt infiltrated attackers’ activities, and gain information about the sources of an attack.
- Improved information security configuration and hygiene to reduce the number and magnitude of security vulnerabilities and improve the operations of networked computer systems, with a focus on protecting against poor security practices by system administrators and end-users that could give an attacker an advantage.
- Advanced sub-controls that use new technologies that provide maximum security but are harder to deploy or more expensive than commoditized security solutions.
http://www.sans.org/critical-security-controls/cag4.pdf
http://www.sans.org/critical-security-controls/guidelines.php
ClearSky Cyberdefense Forum 