Most companies do not properly evaluate computer security risk and end up with controls misaligned to their biggest risks. It’s the subject of my Data-Driven Computer Security Defense book. A lot of security pros know this, which is why after many of my talks on risk management, I’ll be asked which controls to implement from the SANS Top 20 Critical Controls list.
Most serious computer security professionals I know look forward to each SANS Top 20 update and the poster that comes with it. It contains very good computer security defense advice, but as with any action list, it’s impossible to perfectly do more than a few things at once. Following is advice on which controls to do first, but first let me provide a little history on the SANS list.
It’s now the CIS Controls
SANS turned over the Top 20 list to the Center for Internet Security (CIS) years ago, and it’s now called the CIS Critical Security Controls. The CIS is another highly respected, non-profit computer security organization that has been around decades. They are probably best known for publishing their operating system best practice security recommendations and benchmarks. If you want an independent, non-governmental entity’s recommendations for securing Microsoft Windows, CIS is where you go.