20 Critical Controls Control Name Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Control Description Example of Controls in Place The processes and tools used to track/control/prevent/correct Secure Configurations for Network equipment security weaknesses in the configurations in network devices such as firewalls, routers, and switches based on formal configuration management and change control processes.
Change default pwd Limit ports/services FW rules
Critical Control 11: Limitation The processes and tools used to track/control/prevent/correct FW Access Control Lists; and Control of Network Ports, use of ports, protocols, and services on networked devices. Change default passwords; Protocols, and Services Limit services and ports; Implement Firewall Rules Critical Control 12: Controlled The processes and tools used to track/control/prevent/correct Limit admin access Use of Administrative the use, assignment, and configuration of administrative Dual factor Privileges privileges on computers, networks, and applications. Remove access rights Critical Control 13: Boundary The processes and tools used to detect/prevent/correct the Defense flow of information transferring networks of different trust levels with a focus on security‐damaging data.
Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
The processes and tools used to detect/prevent/correct the use of systems and information based on audit logs of events that are considered significant or could impact the security of an organization.
Basic Secure configuration
Control/remove admin access
Firewall IPS Proxy DMZ FTP/SSH (File Transfer) Tool/Management Event Logging
Critical Control 16: Account Monitoring and Control
Disable terminated accounts; On‐board/Exit procedures; Process in place to periodically review of access to systems Bitlocker
Critical Control 18: Incident Response and Management
Confidential
Cyber Incident Response Plan (CISP)‐ practice, refine Have Cyber Incident The process and tools to make sure an organization has a Review incident metric and adjust operation properly tested plan with appropriate trained resources for Response Plan: dealing with any adverse events or threats of adverse events. processes Communicate plan to Note: This control has one or more sub‐controls that must be staff: validated manually. Execute as needed: Version 1.0
Risk
Total
3
2
3
8
3
1
2
6
3
3
3
9
3
2
3
8
3
3
1
7
3
1
3
7
3
2
2
7
2
2
2
6
3
2
3
8
Enable logging; Monitor monthly
Classify Systems by Confidential/Internal Use/Public based on department and applications access
Critical Control 17: Data Loss The processes and tools used to track/control/prevent/correct Bitlocker Prevention data transmission and storage, based on the data’s content Disk Encryption and associated classification.
Time
Firewall
Critical Control 15: Controlled The processes and tools used to track/control/prevent/correct Classification of systems and data Access Based on the Need to secure access to information according to the formal Architecture strategy Know determination of which persons, computers, and applications Required controls based on data type have a need and right to access information based on an approved classification. The processes and tools used to rack/control/prevent/correct Review User Lifecycle Management System the use of system and application accounts.
Cost
9/30/2014