Dyson College of Arts and Sciences

Table II Document Contributors The Main Tenets of the Controls Out of this arrangement of cyber-security agencies and professionals was launched the first independent, non-commercial platform for the stewardship of the 20 Critical Security Controls. Below are the five critical tenets of an effective cyber defense system, as reflected in the Critical Security Controls: 5 1. Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks. 2. Prioritization: Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment. 3. Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly. 4. Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the effectiveness of current security measures, and to help drive the priority of next steps. 5. Automation: Automate defenses, so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics. Table III illustrates a listing of the critical security controls and a more descriptive illustration identifying the context of each control appears in Appendix A. The 20 Critical Security Controls 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations of Hardware/Software on Mobile Devices, Laptops, Workstations and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Device Control 8. Data Recovery Capability (validated manually) 9. Security Skills Assessment and Training to Fill Gaps 10. Secure Configurations for Network Devices such as Firewalls, Routers and Switches 11. Limitation and Control of Network Ports, Protocols and Services 63

• Cover