Here's the summary list:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Maintenance, Monitoring, and Analysis of Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based on the Need to Know
- Continuous Vulnerability Assessment and Remediation
- Account Monitoring and Control
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Wireless Device Control
- Data Loss Prevention
- Secure Network Engineering
- Penetration Tests and Red Team Exercises
- Incident Response Capability
- Data Recovery Capability
- Security Skills Assessment and Appropriate Training to Fill Gaps
I encourage those interested to read the large PDF version of the document.
Also, I recommend that anyone running the security defenses at an IT shop take a look at the control recommendations and note where his or her organization's policies, procedures, and implementations have gaps.
The list is not ranked in order by priority. You would first have to determine what your organization's risk are, decide what is not being optimally addressed, and then go about fixing the gaps. For instance, in most companies the biggest risk leading to the most compromises is end-users installing things that they shouldn't, such as malware. Controls under the umbrellas of Malware Defenses and Controlled User of Administrative Privileges are the ones most likely to appropriately address those related problems. When you have end-users installing fake antivirus programs, boundary defenses, and more, secure network engineering isn't going to get you a lot of bang for your buck.
I especially like that the controls include inventories. I'm surprised by how many IT shops have no idea what software and hardware is used within their environment, especially the unmanaged components. The only other inventory item I would add is data inventory. All the controls we are mentioning are to manage the data, and you can't implement the Data Loss Prevention control if you don't know where the data is.
Again, I encourage computer security defenders to download and review the bigger document. You will improve your ideas -- you won't be able to help it.
This story, "In the IT security world, policies and controls are king," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.