How to use critical security controls to prioritize action

Interesting. I once downloaded the Cis controls but it's like a lot of information. It's like a checklist to go through every areas right? Or did I missed out anything?

Yes, indeed, it is a huge checklist. I used it to scare myself. Haha.

It was also called the SANS Top 20 Controls which they will rearrange the criticality sequence every year. I like it because the top critical controls are inventory. It helps me to get the big picture of the environment that needs to secure because if you dunno what is in your environment, you cannot secure it. IMHO. From there, you can then prioritise which areas to secure/fix/decomm etc. It will also help when you choose any framework for ISMS.

Anyway, here's the full list from version 6.1
CSC1: Inventory of Authorised and Unauthorised Devices
CSC2: Inventory of Authorised and Unauthorised Software
CSC3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC4: Continuous Vulnerability Assessment and Remediation
CSC5: Controlled Use of Administrative Privileges
CSC6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC7: Emails and Web Browser Protections
CSC8: Malware Defences
CSC9: Limitation and Control of Network Ports, Protocols, and Services
CSC10: Data Recovery Capability
CSC11: Secure Configurations for Network Devices such as Firewalls, Routers and Switches
CSC12: Boundary Defense
CSC13: Data Protection
CSC14: Controlled Access Based on the Need to Know
CSC15: Wireless Access Control
CSC16: Account Monitoring & Control
CSC17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC18: Application Software Security
CSC19: Incident Response and Management
CSC20: Penetration Tests and Red Team Exercises

You can download a copy from here, www.cisecurity.org/critical-controls/Library.cfm

Wow. It's really Scary!! Does it have any script to run and check for u automatically?

Tony Sager of the Center for Internet Security shares insights on how successful security leaders use the critical controls to set priorities and guide action across the organization.
www.csoonline.com/article/3089414/leader...ioritize-action.html

 

Don't think so. Have to customise the script since each environment is different. Or use vulnerability assessments or tools to discover what is in your network.