Читать книгу The Official (ISC)2 CISSP CBK Reference - Leslie Fife, Aaron Kraus - Страница 43
CIS Critical Security Controls
ОглавлениеThe CIS Critical Security Controls (or CIS Controls) is a publication of 20 best-practice guidelines for information security. The publication was initially created by SANS Institute but was transferred to the Center for Internet Security (CIS) in 2015. Today, you may see these 20 critical controls labeled CIS CSC, CIS 20, Sans Top 20, or other variants.
CIS Controls v7.1 was released in April 2019, and identifies the basic, foundational, and organizational controls that CIS recommends mitigating the most common attacks against networks and systems. According to the Center for Internet Security, the 20 Critical Security Controls are as follows:
CIS Control 1: Inventory and Control of Hardware Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Continuous Vulnerability Management
CIS Control 4: Controlled Use of Administrative Privileges
CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
CIS Control 7: Email and Web Browser Protections
CIS Control 8: Malware Defenses
CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
CIS Control 10: Data Recovery Capabilities
CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
CIS Control 12: Boundary Defense
CIS Control 13: Data Protection
CIS Control 14: Controlled Access Based on the Need to Know
CIS Control 15: Wireless Access Control
CIS Control 16: Account Monitoring and Control
CIS Control 17: Implement a Security Awareness and Training Program
CIS Control 18: Application Software Security
CIS Control 19: Incident Response and Management
CIS Control 20: Penetration Tests and Red Team Exercises
NOTE The controls and subcontrols within the CIS CSC break down into what are known as Implementation Groups. According to CIS, “Implementation Groups provide a simple and accessible way to help organizations of different classes focus their security resources, and still leverage the value of the CIS Controls program ….” In essence, these Implementation Groups help organizations prioritize controls and identify the subcontrols that are most reasonable for level of expertise and their risk profile. Visit www.cissecurity.org for more information on the CSC and their Implementation Groups.