20 Security Controls

There are 20 Security controls that are well known and published by the Center for Internet Security (CIS).

The design of the security controls is to build the outline of a comprehensive security plan. Each of these is critical to securing your organization. There are 3 categories of controls: Basic, Foundational, and Organizational.

Implementation of controls is independent of each other. Ideally you should implement all the basic controls first. Then tackle each of the foundational controls as your budget allows. Focusing on the items that would provide the most benefit first. Implement the organizational controls last.

Open Source Security

Over the next months of blog entries, I will be taking a look at each control. I will approach these first from an open source tool perspective. The combination of these controls and tools will form the core of an open source security operations platform. If a tool is not available. Or if it does not meet the standards for functionality. Then I will consider commercial alternatives.

A consideration about commercial products. The trade-off with a commercial product is time vs cost. Commercial tools reduce the time install to providing value but it comes at a higher upfront cost. Open source may be free but will likely have a higher cost in man hours. Support for open source applications is also harder to find. Consider the value of your time to deploy an open source tool vs a commercial alternative.

Next Control – Inventory and Control of Hardware Assets

Next time I will highlight the first control. It is Inventory and Control of Hardware Assets. This inventory control focuses on managing all hardware devices on your network. Only allow authorized devices to connect and communicate on the network. Prevent unauthorized and/or unmanaged devices access. How do we do that? Come back next time…