Using the Top 20 Critical Controls as a Security Framework

ISO 27000, COBIT and other security governance frameworks offer excellent guides for extending an intermediate or mature security program.  Unfortunately, organizations with immature or weaker security programs may find implementing one of these frameworks intimidating, costly, and ultimately not worth the effort involved.   For these organizations, an alternative exists to help create a functioning security governance program that can later evolve into a higher level security governance framework if desired.  The Top 20 Critical controls are a public framework created by SANS through mapping to NIST 800-53.   The controls enforce the notion that Prevention and Detection are critical in today's threat landscape and advocates using offensive knowledge to strengthen defense.

This talk uses a hypothetical case study to explain the Top 20 Critical Controls and their inclusion as the basis of a security program.  It will include running an assessment to identify implementation gaps and thoughts on implementing the controls within an organization.   Viewers will gain an understanding of the Top 20 Critical Controls and how they can implement the framework with their own organization.