In every business whether it be manufacturing, law, non-profit or healthcare there exists a need for Standard Operating Procedures. These procedures outline how to react to events, how to perform business functions, and reference material if required. In IT Security standard operating procedures are written by institutions or government organizations as recommendations or a framework on how to adequately secure your network. The Center for Internet Security is a US-based, not-for-profit organization whose mission is to “enhance the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration.” This organization is widely recognized as the de facto standard for IT Security.
Amongst other publications, the Center for Internet Security or CIS publishes what's known as the top 20 critical security controls. This report is a recommended set of actions that private organizations should be using to properly secure their IT infrastructure. These controls are based on current attacks and up-to-date vulnerabilities and are written by pillars of the Information Security community such as the NSA Red team and the US Department of Energy nuclear energy labs. These controls are derived and vetted by this community and outline actionable items for the organization to adequately protect resources, data, and intellectual property.
This list of top 20 critical security controls was developed out of necessity. The National Security Agency was working directly with the Department of Defense in order to prioritize spending in order to protect resources, data, and information. The original list was only to block the most common attacks and was for official use only. The Center for Internet Security in conjunction with the SANS Institute wished to work with the NSA in a public-private consortium to share this original list. The aforementioned group was permitted the use of the NSA’s attack data in order to develop a similar list of controls for public and private use and distribution. The primary reason for the NSA to share this information being that the military could not protect our nation if communications, power, and financial sectors were not also protected. This list was developed and is now maintained to provide the means necessary to private industry to protect IT resources.
Anyone who has interacted with the company owned IT equipment knows that there is a level of security in mind. Now ask yourself if that level has been compared to that of our Government and essential industries in our nation. Unfortunately, it has been proven that not many organizations can say this. A quick look at the news will show you those that may not have the proper steps in place to protect their data, and information. The need for IT Security is higher now than ever, this need is not to be taken lightly and would be best suited by a team that is experienced with these controls.
After utilizing the top 20 critical security controls, IT departments are better equipped to protect assets from attack and maintain the higher level of security across the network. Although, it is tough for them to be asked to bring the infrastructure to this level of security. Network Access is proficient at assessing your current network and recommending and implementing the proper tools and procedures so that your organization adheres to the top 20 critical security controls. Not only are we there to assist in recommendation and implementation but also management and assistance with this new methodology.