20 Critical Security Controls

Qualys Guide to Automating CIS — 20 Critical Security Controls 3 The many endorsements for the controls include: • A California Attorney General report from 2016 stated that the CSCs represent “a minimum level of information security that all organizations that collect or maintain personal information should meet” and that failing to implement them “constitutes a lack of reasonable security.” • The U.S. National Institute of Standards and Technology (NIST) cites the CSCs as one of the “informative references” for its Framework for Improving Critical Infrastructure Cybersecurity. As you’ll see from this whitepaper, the Qualys Cloud Platform — a single, integrated,...
Qualys Guide to Automating CIS — 20 Critical Security Controls 3 The many endorsements for the controls include: • A California Attorney General report from 2016 stated that the CSCs represent “a minimum level of information security that all organizations that collect or maintain personal information should meet” and that failing to implement them “constitutes a lack of reasonable security.” • The U.S. National Institute of Standards and Technology (NIST) cites the CSCs as one of the “informative references” for its Framework for Improving Critical Infrastructure Cybersecurity. As you’ll see from this whitepaper, the Qualys Cloud Platform — a single, integrated, end-to-end platform — can help security teams of any size to broadly and comprehensively adopt the CIS controls. Its robust, scalable, and extensible architecture powers Qualys’ IT security and compliance cloud apps, giving you a continuous, always-on assessment of your global security and compliance posture, with instant visibility across all your IT assets, wherever they reside. Qualys solutions can provide in-depth assessment and validation of all critical security controls and related technologies to ensure that they are in place, properly configured, and free from vulnerabilities. CSC # CSC #1 CRITICAL SECURITY CONTROL Inventory of Authorized and Unauthorized Devices CSC #2 Inventory of Authorized and Unauthorized Software QUALYS APP MAPPING CSC #3 Secure Configurations for Hardware and Software CSC #4 Continuous Vulnerability Assessment & Remediation CSC #5 Controlled Use of Administrative Privileges CSC #6 Maintenance, Monitoring, and Analysis of Audit Logs CSC #7 Email and Web Browser Protections CSC #8 Malware Defenses CSC #9 Limitation and Control of Network Ports CSC #10 Data Recovery Capability CSC #11 Secure Configurations for Network Devices CSC #12 Boundary Defense CSC #13 Data Protection CSC #14 Controlled Access Based on the Need to Know CSC #15 Wireless Access Control CSC #16 Account Monitoring and Control CSC #17 Security Skills Assessment and Appropriate Training to Fill Gaps CSC #18 Application Software Security CSC #19 Incident Response and Management CSC #20 Penetration Tests and Red Team Exercises Now we’ll take a closer look at all of the controls, and explain how Qualys can help you implement them. +1 800 745 4355 | qualys.com 4 Qualys Guide to Automating CIS — 20 Critical Security Controls CSC 1 & CSC 2 Inventory of Authorized and Unauthorized Devices: Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. Inventory of Authorized and Unauthorized Software: Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. The first two controls address the importance of having visibility into your IT environment. You can’t protect — nor defend yourself from — devices and software that you don’t know are in your network. +1 800 745 4355 | qualys.com The first two controls address the importance of having visibility into your IT environment. You can’t protect — nor defend yourself from — devices and software that you don’t know are in your network. These blind spots are proliferating as organizations adopt technologies and processes that blur traditional network boundaries, making it easy for end users to bypass the IT department, and providing a plethora of intrusion opportunities for hackers.
Read more...