Dyson College of Arts and Sciences

America's critical infrastructure is the backbone of our national economy, security, health and wealth. Whether it's the power used in our homes or industries, the water we consume in our daily lives, the transportation networks that move people and commerce, and the communication systems that interconnect all of us, the assets, systems, and networks (physical and logical/virtual) are so vital to the U.S that should any part of that infrastructure become unavailable, it would have a debilitating effect and put the entire nation at risk. From a system engineering perspective, the Top 20 Critical Security Controls is a move toward protecting this collective infrastructure against those that would do us harm. About the author With accumulated Information Systems experience in industry and academia spanning more than three decades, Dr. James W. Gabberty is Professor of Information Systems on the Faculty at Pace University in New York City, where he teaches courses in Cyber Security, Systems Analysis & Design, and Telecommunications. An alumnus of the Massachusetts Institute of Technology and New York University Polytechnic Institute, he has served as an expert witness in telecommunication and information security at the federal and state levels. A member of Infragard and the MS-ISAC, Dr. Gabberty holds numerous certifications from the SANS Institute and ISACA, and is compliant in all levels of IAT/IAM satisfying U.S. DoD 8570 & U.S. DISA Computer Network Defense. APPENDIX A 20 Critical Security Controls in Detail 1. Inventory of Authorized and Unauthorized Devices: Processes & Tools used to track, control, prevent, and correct network access by devices (PCs, printers, network computers, and anything with an IP address) based on an asset inventory of which devices are allowed to connect to the network. 2. Inventory of Authorized and Unauthorized Software: The processes and tools organizations used to track, control, prevent, and correct installation and execution of software on computers on an asset inventory of approved software. 3. Secure Configurations of Hardware/Software on Mobile Devices, Laptops, Workstations, & Servers: Processes and tools to track, prevent, and correct security weaknesses in the configurations of the hardware and software of mobile devices, laptops, workstations, and servers based on a formal configuration management and change control process. 4. Continuous Vulnerability Assessment and Remediation: The processes and tools used to detect, prevent, and correct security vulnerabilities in the configurations of devices that are listed and approved in the asset inventory database. 5. Malware Defenses: The processes and tools used to detect, prevent, and/or correct installation and execution of malicious software on all devices. 6. Application Software Security: The process and tools organizations use to detect, prevent, and/or correct security weaknesses in the development and acquisition of software applications. 7. Wireless Device Control: The processes and tools used to track, control, prevent, and/or correct the security use of wireless LANs, access points and wireless client systems. 72

• Cover