20 Critical Security Controls

In 2009, the State Department implemented a bold strategy to continuously monitor cyberspace for malicious computer attacks.  Chief Information Security Officer John Streufert led the effort.  Part of what Streufert wanted to determine was whether or not he could tailor his security model to the 20 critical security controls, a set of risks that over 100 security experts determined to be the most common and likely security vulnerabilities facing government computer systems.

Prior to these controls, the National Institute of Standards and Technology concluded that there were 110 or more ways computer systems could be attacked.  Former Energy Department and Air Force CIO John Gilligan changed all that when he brought together a powerful consortium to determine if there was a subset of those risks that was substantially more important based on the damage they could inflict and the likelihood of them occurring.  As a result, the 20 critical controls were born.

Streufert opened a 24-hour security help desk to count the number of security incidents occurring on a daily basis.  For 2008, State opened 2104 tickets.  By 2009, the number went up to 3085.  Different kinds of attacks occurred, but the most prevalent was malicious code, which rose from 39% in 2008 to 70% in 2009. 

The 20 Critical Controls are judged by leading cybersecurity experts to be the most commonly used and effective ways computer attackers gain entry to systems and networks.  The automation of these controls has radically lowered the cost of security while improving effectiveness.


SANS 20 Critical Security Controls