SANS Critical Security Controls (CSC) Framework

 

The SANS Critical Security Controls (CSC) Framework, also known as the SANS Top 20, is a set of security best practices created by the SANS Institute to help organizations improve their cybersecurity posture. The framework is designed to prioritize and focus an organization's efforts on the most critical security controls, based on the latest attack trends and successful defense strategies.

The framework consists of 20 controls organized into three categories: Basic, Foundational, and Organizational. The Basic Controls provide essential protections against the most prevalent threats, while the Foundational Controls focus on more advanced protection against sophisticated attacks. The Organizational Controls address strategic and governance issues that are critical for effective cybersecurity management.

The SANS Critical Security Controls Framework is regularly updated to ensure it remains current and relevant to the evolving threat landscape. It is widely used by organizations of all sizes and across all industries as a benchmark for evaluating and improving their security posture.

Here is a breakdown of the SANS Top 20 Critical Security Controls Framework into its three categories:

Basic Controls:

1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
6. Maintenance, Monitoring, and Analysis of Audit Logs

Foundational Controls:

7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation and Control of Network Ports, Protocols, and Services
10. Data Recovery Capability
11. Secure Configuration for Network Devices such as Firewalls, Routers, and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on Need to Know

Organizational Controls:

15. Wireless Access Control
16. Account Monitoring and Control
17. Security Skills Assessment and Appropriate Training to Fill Gaps
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises

These controls are prioritized based on the threat landscape and are intended to provide organizations with a roadmap for improving their cybersecurity posture. By implementing these controls, organizations can better protect their critical assets and reduce their risk of a cyber-attack.