Top 20 Critical Security Controls


Critical Security Controls (CSC) 1-5 below are known as Foundational Cyber Hygiene (FCH).  Studies show that organizations with a handle on the FCH controls are roughly 90% less likely to suffer a breach.

CSC 1:  Inventory of Authorized and Unauthorized Devices
CSC 2:  Inventory of Authorized and Unauthorized Software
CSC 3:  Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4:  Continuous Vulnerability Assessment and Remediation
CSC 5:  Controlled Use of Administrator Privileges

CSC 6:  Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7:  Email and Web Browser Protections
CSC 8:  Malware Defenses
CSC 9:  Limitation and Control of Network Ports, Protocols, and Services
CSC 10:  Data Recovery Capability
CSC 11:  Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12:  Boundary Defense
CSC 13:  Data Protection
CSC 14:  Controlled Access Based on the Need to Know
CSC 15:  Wireless Access Control
CSC 16:  Account Monitoring and Control
CSC 17:  Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18:  Application Software Security
CSC 19:  Incident Response and Management
CSC 20:  Penetration Tests and Red Team Exercises

The Top 5 Critical Security Controls = Foundational Cyber Hygiene (FCH)

This list is based on version 6.0 of the Center for Internet Security Controls for Effective Cyber Defense.  This list changes periodically in order and content, based on the latest technologies and latest threats/attacks.