Using Unified VRM to Implement SANS 20 Critical Security Controls
- Sep 17, 2013
- Michelangelo Sidagni
The SANS 20 Critical Security Controls are prioritized mitigation steps to improve cybersecurity. Coordinated through the SANS Institute, many companies with mature security programs are aware of and have adopted the security controls with the objectives of increasing visibility of attacks, improving response preparedness and reducing information security risk.
Implementing the Critical Security Controls delivers immediate benefits as well as long-term benefits as processes become formalized into your organization’s IT approach. However, as cited in the SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action, many organizations struggle to enable controls despite the significant benefits.
Many of the critical security controls cross organizational boundaries. In order for security improvements to be made, security and IT operations must work together in a coordinated fashion. Adopting the controls also requires technical knowledge that sometimes requires additional training of staff. Somewhat surprisingly, the third most frequent barrier to adoption is “the inability to prioritize which of the Controls to implement first.”
It is not necessary to approach all controls at the same time, and it can be effective to prioritize and address areas that are the greatest risk for your specific organization. There is also some logical inter-dependencies to take into consideration. NopSec security engineers generally recommend focusing efforts on near-term implementations of the highest-priority Controls and on upgrading existing implementations of some of the lower-level Controls. Regardless of where you start, vulnerability management is a commitment to decreasing the risk of a security breach and ensuring compliance with your company security policies.
We have worked with a number of customers to help address the critical security controls using NopSec’s software-as-a-service, Unified VRM. Many actions can be automated through vulnerability risk management which will result in compliance at dramatically reduced costs. You can learn more about NopSec’s approach to helping achieve the 20 Critical Security Controls in “Whitepaper: SANS 20 Critical Security Controls“. The information in this whitepaper is intended for a technical reader and should help you understand each control, and how features in Unified VRM map to the respective control.