Top 20 Critical Security Controls not popular with federal IT pros
Posted on 05 December 2013.
The National Security Agency created a best security practices list for their customers, which was later expanded through a large-scale community project initiated by the SANS Institute and sponsored by the Center for Strategic and International Studies (CSIS).

The outcome of this project was the Top 20 Critical Security Controls (20 CSC) – a prioritized list of security best practices that were proven to help organizations combat the most common cybersecurity issues as well as reduce the greatest number of exploitable cyberattack vectors.

According to a recent U.S. Government Accountability Office (GAO) study, the number of security incidents reported by federal agencies has increased 782 percent from 2006-2012. Despite this growing number, survey results indicate that the 20 CSC have not yet been adopted by many federal agencies.

Tripwire has surveyed the attitudes of 110 federal information technology professionals from military, intelligence and civilian agencies regarding the implementation of 20 CSC, and these are the findings:
  • Only 11 percent of the respondents have implemented the 20 CSC.
  • Only 53 percent consider the 20 CSC to be valuable to their organization’s security strategy.
  • 66 percent do not have plans to adopt the 20 CSC at this time.
“The Top 20 Critical Security Controls were not designed to be a replacement or alternative for comprehensive risk management frameworks like FISMA,” said Tony Sager, director of programs for the Council on CyberSecurity.

“Instead, the Controls bring priority and focus to complex cybersecurity problems and make it possible to align the many complex and often conflicting schemes that regulate, oversee or determine security practices. Highly knowledgeable practitioners across every business sector have agreed that these 20 Critical Security Controls stop the vast majority of the attacks seen today.”

Additional Tripwire survey findings include:
  • Only 18 percent of respondents implementing controls are doing so in the order proposed.
  • 79 percent use the 20 CSC as general guidelines.
  • 88 percent believe the 20 CSC will complement, not replace, existing FISMA efforts.
“The 20 Critical Security Controls are easily understood by nontechnical mission owners and have been proven time and again by agencies around the world to be effective against the greatest number of targeted cyberattacks,” said Rekha Shenoy, vice president of marketing and corporate development for Tripwire.

“In addition, a significant percentage of these controls can be automated, dramatically reducing the time and resources required to implement them. For example, automation of security configuration management and vulnerability management makes implementation of continuous diagnostics and mitigation very achievable. Mission owners at every agency should be asking how their security strategies stack up against the 20 Critical Security Controls.”





Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //