Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security.

Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence, which are a great read for anyone looking at updating or auditing your policies for completeness.

The SANS top 20 controls are a must for any organization:

1. Inventory of Authorized and Unauthorized Devices


2. Inventory of Authorized and Unauthorized Software


3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers


4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches


5. Boundary Defense


6. Maintenance, Monitoring, and Analysis of Security Audit Logs


7. Application Software Security


8. Controlled Use of Administrative Privileges


9. Controlled Access Based on the Need to Know


10. Continuous Vulnerability Assessment and Remediation


11. Account Monitoring and Control


12. Malware Defenses


13. Limitation and Control of Network Ports, Protocols, and Services


14. Wireless Device Control


15. Data Loss Prevention


16. Secure Network Engineering


17. Penetration Tests and Red Team Exercises


18. Incident Response Capability


19. Data Recovery Capability


20. Security Skills Assessment and Appropriate Training to Fill Gaps

If you are missing policies dealing with any of these, this would be a great time to look at implementing them, especially with such a great resource now available.