Assurance, not Compliance - Using the 20 Critical Security Controls

Randy Marchany, CISO, Virginia Tech IT Security Office and Lab

Randy Marchany, CISO, Virginia Tech IT Security Office and Lab


One of the challenges of an information security program is how to translate the high level requirements of an Infosec standard such as ISO 27002 into an effective operational implementation plan. For example, how does one translate an ISO 27002 coverage area such as asset management into a checklist of steps to actually perform asset management within an organization?

The Center for Internet Security (CIS) 20 Critical Security Controls (CSC) provides a bridge between high level architectural concepts and actual implementation. The 20 CSC are a set of technical controls that can help defend systems. They are designed to help organizations protect their information systems. These controls are only useful if we take the time to implement and follow them.

Compliance with Established Security Architecture Standards

The CSC provides effective responses against the latest and common threats with a strong emphasis on known actions that provide results. They were derived from the most common attack patterns and were vetted across a widespread community of government and industry. The 20 Critical Security Controls are:

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Controlled Use of Administrative Privileges
6. Maintenance, Monitoring, and Analysis of Audit Logs
7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation and Control of Network Ports, Protocols, and Services
10. Data Recovery Capability
11. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
16. Account Monitoring and Control
17. Security Skills Assessment and Appropriate Training to Fill Gaps
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises is an excellent site created by James Tarala and contains a number of spreadsheets to measure implementation progress, provide an executive summary and map the controls to InfoSec standards. Each individual CSC is mapped to the following standards:

■ NIST 800-53 rev 4
■ NIST 800-171
■ NIST Core Framework
■ DHS CDM Program
■ ISO 27002-2013, 27002-2005
■ Australian Top 35
■ NSA Top 10
■ GHCQ 10 Steps
■ UK Cyber Essentials
■ UK ICO Protecting Data
■ PCI DSS 3.0
■ FFIEC Examination Handbook
NERC CIP v3, v4, v5
CSA (Cloud Security Alliance) CCM v3
FY15 FISMA Metrics
ITIL 2011 KPIs

Our focus is ASSURANCE not compliance.

Step 1: Do the CSC gap analysis first

I highly recommend doing a gap analysis to measure how your organization's security architecture maps to the 20 CSC. Asking the following questions helps you determine where the gaps are:

Where does your organization have deficiencies?
What are the most important next steps for your organization?
What evaluation plan will you follow in light of these controls?

The first step of the implementation strategy is to identify the gaps between the current state of an organization and meeting the requirements of each control. Figure 1 shows a sample gap analysis of a hypothetical company. The control number is shown on the X-axis and the percentage complete is shown on the Y-axis. Frankly, you should expect your first gap analysis to be somewhat dismal. The orange bars highlight areas where a control implementation is less than 50 percent. Your initial gap analysis establishes the baseline to be used to measure progress of the implementation. Subsequent gap analyses should show improvement in the deficient areas of a previous gap analysis.

Suppose we want to determine how well we can comply with Control 1—Inventory of Authorized and Unauthorized hardware, we need to answer the what, who and how questions.

  The 20 Critical Security Controls provide you with a blueprint for creating an effective security plan for your organization   

What should be in the inventory?

Network hardware – routers, switches, access points, accurate locations of these devices
“Traditional” hardware – servers, desktops, laptops, BYOD
“Specialized” hardware – IoT devices such as cameras, access controls, industrial control systems, laboratory data acquisition equipment, building management systems

You have to find the asset before you can defend it. This isn't a trivial task because most nets have a lot of ways to connect to their nets. For example, here are some possible connection points:

Wired, static IP addresses (IPv4 and IPv6)
Wired, DHCP assigned addresses
Wired VPN
Wireless, wireless DHCP, wireless VPN

Who has the information for the equipment in the above list?

Hardware asset information is spread out over multiple departments within an organization. You need to determine all of the possible ways a machine can connect to your network. Here are some possible sources of information to help you determine where your assets are:

Network management group – The network management group in your organization usually has some sort of database that lists the physical locations of wired hosts. This information is usually kept for diagnostic purposes to help technicians locate a device that is having connection problems.

Individual and departmental system administrators – usually some spreadsheets or inventory tracking software for the assets in their groups.

Network scanner – the IT Security office, systems group or network management group may run daily scans of your organization's network listing the number of servers by type. This list of IP addresses used in conjunction with the database mentioned in the previous bullet item gives an “inventory” of systems connected to your network.

SIEMs, centralized log servers

How do I obtain copies of the above information to determine what our gaps are?

Once you identify who has the information then you see if you can get copies of that data. This will test your political skills mostly because work groups want to restrict access to their data. You will need to prepare a business case for accessing and/or copying the appropriate information.

Once you’ve finished the gap analysis for each of the 20 CSC, the next step is to prepare an operational plan to implement the controls throughout your organization. You’ll find that you’re better off in implementing some of the controls.

What’s next?

In this article, I’ve described the basics of the 20 Critical Security Controls, how they map to well-known Infosec standards and the basics of doing a gap analysis to determine how your security architecture follows the controls. The 20 Critical Security Controls provide you with a blueprint for creating an effective security plan for your organization.

Read Also

2016: The Year of Cloud-based Data Analytics

Bill Emerick, CIO, LOGICnow


Douglas Mullarkey, CIO & SVP, First Choice Loan Services Inc.

Reimaging the IT World

James Rinaldi, CIO, NASA Jet Propulsion Laboratory

Tips to Combat Insider Threats

David Pollino, Deputy Chief Security Officer, SVP, Bank of the West