Читать книгу The Official (ISC)2 CISSP CBK Reference - Leslie Fife, Aaron Kraus - Страница 43

CIS Critical Security Controls

Оглавление

The CIS Critical Security Controls (or CIS Controls) is a publication of 20 best-practice guidelines for information security. The publication was initially created by SANS Institute but was transferred to the Center for Internet Security (CIS) in 2015. Today, you may see these 20 critical controls labeled CIS CSC, CIS 20, Sans Top 20, or other variants.

CIS Controls v7.1 was released in April 2019, and identifies the basic, foundational, and organizational controls that CIS recommends mitigating the most common attacks against networks and systems. According to the Center for Internet Security, the 20 Critical Security Controls are as follows:

 CIS Control 1: Inventory and Control of Hardware Assets

 CIS Control 2: Inventory and Control of Software Assets

 CIS Control 3: Continuous Vulnerability Management

 CIS Control 4: Controlled Use of Administrative Privileges

 CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

 CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

 CIS Control 7: Email and Web Browser Protections

 CIS Control 8: Malware Defenses

 CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services

 CIS Control 10: Data Recovery Capabilities

 CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

 CIS Control 12: Boundary Defense

 CIS Control 13: Data Protection

 CIS Control 14: Controlled Access Based on the Need to Know

 CIS Control 15: Wireless Access Control

 CIS Control 16: Account Monitoring and Control

 CIS Control 17: Implement a Security Awareness and Training Program

 CIS Control 18: Application Software Security

 CIS Control 19: Incident Response and Management

 CIS Control 20: Penetration Tests and Red Team Exercises

NOTE The controls and subcontrols within the CIS CSC break down into what are known as Implementation Groups. According to CIS, “Implementation Groups provide a simple and accessible way to help organizations of different classes focus their security resources, and still leverage the value of the CIS Controls program ….” In essence, these Implementation Groups help organizations prioritize controls and identify the subcontrols that are most reasonable for level of expertise and their risk profile. Visit www.cissecurity.org for more information on the CSC and their Implementation Groups.

The Official (ISC)2 CISSP CBK Reference

Подняться наверх