The Critical Security Controls – Moving Beyond the Checklist Mentality
The "Critical Security Controls" (CSC) guidelines (previously known as the "Consensus Audit Guidelines," or CAG) are designed to help organizations move beyond a "checklist" mentality by making security an integral part of, instead of an adjunct to, the operations and management of systems and networks. Based on known "real world" attack vectors, it helps organizations by prioritizing IT security expenditures so they get the most value from their IT security spend. Though the initial framework was focused on federal agencies, the CSC might impact organizations beyond just US governmental agencies. Since 85% of the critical public infrastructure (think communications, power, transportation, financial and more) are in private hands, the notions suggested in CSC are expected to force their way into those arenas (via, for instance, NERC and CFATS). The CSC consists of 20 Critical Controls; the first 15 of these should be automatically measured and validated, while the last five cannot be automatically assessed with today's technology. These 20 controls are made up of 142 different implementation guidelines. Listen to this podcast to learn more about the CSC guidelines and how they can help your organization.