Technology: 20 critical information security controls
Information security programs are mandatory for certain industries and most government agencies. It can bewilder in-house counsel to navigate the many technical and administrative requirements.
April 26, 2013 at 03:58 AM
9 minute read
The original version of this story was published on Law.com
Information security programs are mandatory for certain industries and most government agencies. It can bewilder in-house counsel to navigate the many technical and administrative requirements. Fortunately, there are a number of resources to help. One framework, in particular, is gaining acceptance as a best practice for information security programs: the SANS Institute's Top 20 Critical Controls. Both attorneys and management can use the SANS controls to prioritize and fund information security initiatives.
Following is a primer for nontechnologists on the objectives and benefits of each of the Top 20 Controls.
1. Inventory of authorized and unauthorized devices. The number of information systems has exploded in most large organizations, resulting in a vast IT infrastructure. Unwinding this complexity is a critical first step to knowing what needs protection. Creating accurate, up-to-date inventories of information and systems is one of the most difficult of the 20 controls, but it is an essential prerequisite to the rest.
2. Inventory of authorized and unauthorized software. Ditto.
3. Secure configurations for hardware and software on mobile devices, laptops, workstations and servers. Nearly all IT components have a variety of dials and switches used to configure them, and some settings are more secure than others. This control calls for documented settings that are and are not allowed.
4. Continuous vulnerability assessment and remediation. Technology tools should scan IT environments searching for the equivalent of unlocked doors and windows, known as vulnerabilities. Vulnerability assessment should occur on a continuous, recurring basis.
5. Malware defenses. Malware (computer viruses and malicious programs) invades corporate IT systems and causes damage. Enterprise-class anti-virus products defend against far more than just viruses and should be deployed, monitored and properly configured.
6. Application software security. Software developers should avoid common programming mistakes that introduce vulnerabilities in software applications. Flaw-detection products should scan the source or program code prior to being released.
7. Wireless device control. Wireless networks should be secured so unauthorized parties cannot access the corporate network. Hackers drive around searching for unsecured wireless network signals.
8. Data recovery capability. Make sure data is backed up and recoverable to minimize risk of actual data loss stemming from natural disasters, business disruptions, computer crimes and IT failures.
9. Security skills assessment and appropriate training to fill gaps. Do not trim costs of training and education for personnel responsible for enterprise data protection. Training should not be limited to IT.
10. Secure configurations for network devices such as firewalls, routers and switches. When this control is lacking, particularly applicable to creation of safe network zones, a hacker may compromise one system to attack another system in the enterprise. Deploying this control prevents the attacker from accessing more sensitive systems.
11. Limitation and control of network ports, protocols and services. Implementing this control removes many IT services that reach out to the Internet and respond to attackers by serving like a white pages or a fast-food drive-through window.
12. Controlled use of administrative privileges. Large organizations often have too much access inadvertently granted to too many people. The goal here is to limit powerful system access.
13. Boundary defense. New, layered technologies augment firewalls in securing corporate networks.
14. Maintenance, monitoring and analysis of audit logs. Enterprises should not collect unnecessary data, nor should they ignore the data they do collect.
15. Controlled access based on the need to know. Only grant data access on a need-to-know basis. This control corrects the common practice of blindly giving a new employee the same access as his manager or co-worker.
16. Account monitoring and control. Also related to controls 12 and 15, this control alerts management of unauthorized activity stemming from illicit intentions or unintentional mistakes.
17. Data loss prevention. This control helps detect large data breaches in the enterprise network, an unfortunate reality many large enterprises discover only after sending sensitive data to criminals for months and years prior to discovery.
18. Incident response and management. This control addresses an organization's ability to limit hacking damage, preserve reputation and protect customers.
19. Secure network engineering. This control seeks to establish a competency in secure network architecture and the design and deployment of secure networks. See controls 4, 7, 9, 10, 11, 13 and 17.
20, Penetration tests and “red team” exercises. Employ good-guy hackers, often called “white-hats” or “red teams,” for simulated hacking to discover unknown vulnerabilities. Include technical testing such as social engineering, where attackers attempt to get employees to divulge passwords and grant access, based on a natural willingness to help.
Information security programs are mandatory for certain industries and most government agencies. It can bewilder in-house counsel to navigate the many technical and administrative requirements. Fortunately, there are a number of resources to help. One framework, in particular, is gaining acceptance as a best practice for information security programs: the SANS Institute's Top 20 Critical Controls. Both attorneys and management can use the SANS controls to prioritize and fund information security initiatives.
Following is a primer for nontechnologists on the objectives and benefits of each of the Top 20 Controls.
1. Inventory of authorized and unauthorized devices. The number of information systems has exploded in most large organizations, resulting in a vast IT infrastructure. Unwinding this complexity is a critical first step to knowing what needs protection. Creating accurate, up-to-date inventories of information and systems is one of the most difficult of the 20 controls, but it is an essential prerequisite to the rest.
2. Inventory of authorized and unauthorized software. Ditto.
3. Secure configurations for hardware and software on mobile devices, laptops, workstations and servers. Nearly all IT components have a variety of dials and switches used to configure them, and some settings are more secure than others. This control calls for documented settings that are and are not allowed.
4. Continuous vulnerability assessment and remediation. Technology tools should scan IT environments searching for the equivalent of unlocked doors and windows, known as vulnerabilities. Vulnerability assessment should occur on a continuous, recurring basis.
5. Malware defenses. Malware (computer viruses and malicious programs) invades corporate IT systems and causes damage. Enterprise-class anti-virus products defend against far more than just viruses and should be deployed, monitored and properly configured.
6. Application software security. Software developers should avoid common programming mistakes that introduce vulnerabilities in software applications. Flaw-detection products should scan the source or program code prior to being released.
7. Wireless device control. Wireless networks should be secured so unauthorized parties cannot access the corporate network. Hackers drive around searching for unsecured wireless network signals.
8. Data recovery capability. Make sure data is backed up and recoverable to minimize risk of actual data loss stemming from natural disasters, business disruptions, computer crimes and IT failures.
9. Security skills assessment and appropriate training to fill gaps. Do not trim costs of training and education for personnel responsible for enterprise data protection. Training should not be limited to IT.
10. Secure configurations for network devices such as firewalls, routers and switches. When this control is lacking, particularly applicable to creation of safe network zones, a hacker may compromise one system to attack another system in the enterprise. Deploying this control prevents the attacker from accessing more sensitive systems.
11. Limitation and control of network ports, protocols and services. Implementing this control removes many IT services that reach out to the Internet and respond to attackers by serving like a white pages or a fast-food drive-through window.
12. Controlled use of administrative privileges. Large organizations often have too much access inadvertently granted to too many people. The goal here is to limit powerful system access.
13. Boundary defense. New, layered technologies augment firewalls in securing corporate networks.
14. Maintenance, monitoring and analysis of audit logs. Enterprises should not collect unnecessary data, nor should they ignore the data they do collect.
15. Controlled access based on the need to know. Only grant data access on a need-to-know basis. This control corrects the common practice of blindly giving a new employee the same access as his manager or co-worker.
16. Account monitoring and control. Also related to controls 12 and 15, this control alerts management of unauthorized activity stemming from illicit intentions or unintentional mistakes.
17. Data loss prevention. This control helps detect large data breaches in the enterprise network, an unfortunate reality many large enterprises discover only after sending sensitive data to criminals for months and years prior to discovery.
18. Incident response and management. This control addresses an organization's ability to limit hacking damage, preserve reputation and protect customers.
19. Secure network engineering. This control seeks to establish a competency in secure network architecture and the design and deployment of secure networks. See controls 4, 7, 9, 10, 11, 13 and 17.
20, Penetration tests and “red team” exercises. Employ good-guy hackers, often called “white-hats” or “red teams,” for simulated hacking to discover unknown vulnerabilities. Include technical testing such as social engineering, where attackers attempt to get employees to divulge passwords and grant access, based on a natural willingness to help.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
SEC Puts Beat Down on Ex-Wrestling CEO Vince McMahon for Not Reporting Settlements
3 minute read
DOJ Files Antitrust Suit to Block Amex GBT's Acquisition of Competitor
Trending Stories
- 1On the Move and After Hours: Meyner and Landis; Cooper Levenson; Ogletree Deakins; Saiber
- 2State Budget Proposal Includes More Money for Courts—for Now
- 3$5 Million Settlement Reached With Stone Academy
- 4$15K Family Vacation Turned 'Colossal Nightmare': Lawsuit Filed Against Vail Ski Resorts
- 5Prepare Your Entries! The California Legal Awards Have a New, February Deadline
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
