Introduction to Critical Security Controls
Cybersecurity attacks are increasing and evolving so rapidly that it is more difficult than ever to prevent and defend against them. Does your organization have an effective method in place to detect, thwart, and monitor external and internal threats to prevent security breaches? Does your organization need an on-ramp to implementing a prioritized list of technical protections?
In February of 2016, then California Attorney General, Vice President Kamala Harris recommended that "The 20 controls in the Center for Internet Security's Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization's environment constitutes a lack of reasonable security."
SANS has designed SEC440 as an introduction to the CIS Critical Controls, in order to provide students with an understanding of the underpinnings of a prioritized, risk-based approach to security. The technical and procedural controls explained in the CIS Controls were proposed, debated and consolidated by various private and public sector experts from around the world. Previous versions of the CIS Controls were prioritized with the first six CIS Critical Controls labeled as "cyber hygiene" and now the CIS Controls are now organized into Implementation Groups for prioritization purposes.
The Controls are an effective security framework because they are based on actual attacks launched regularly against networks. Priority is given to Controls that (1) mitigate known attacks (2) address a wide variety of attacks, and (3) identify and stop attackers early in the compromise cycle.
The course introduces security and compliance professionals to approaches for implementing the controls in an existing network through cost-effective automation. For auditors, CIOs, and risk officers, the course is the best way to understand how you will measure whether the Controls are effectively implemented.
This Course Will Prepare You to:
- Understand a security framework and its controls based on recent and evolving threats facing organizations
- Prepare you to interpret a security framework based on data from publicly known attacks, breach reports, and large scare data analytics from the Verizon Data Breach Investigation Report (DBIR), along with data from the Multi-State Information Sharing and Analysis Center (R) (MS-ISAC(R)).
- Understand the importance of each control, how it is compromised if ignored, and explain the defensive goals accomplished with each control
- Identify tools that implement controls through automation
- Learn how to create a scoring tool for measuring the effectiveness of each controls the effectiveness of each control
- Identify specific metrics to establish a baseline and measure the effectiveness of security controls
NOTICE TO STUDENTS
- The CIS released version 8 of the Controls in May 2021. This course content is updated to reflect the changes in the CIS Critical Controls.
- Please note SEC440 does not contain any labs. Students looking for hands-on labs involving the Critical Controls should take SEC566: Implementing and Auditing CIS Critical Controls.
- The CIS Controls are listed below. You will find the full document describing them in detail posted at the Center for Internet Security.
- Take your learning beyond the classroom. Explore the SANS Cybersecurity Leadership curriculum site for additional resources related to this course's subject matter.
CIS CRITICAL CONTROLS
- CIS Control #1: Inventory and Control of Enterprise Assets
- CIS Control #2: Inventory and Control of Software Assets
- CIS Control #3: Data Protection
- CIS Control #4: Secure Configuration of Enterprise Assets and Software
- CIS Control #5: Account Management
- CIS Control #6: Access Control Management
- CIS Control #7: Continuous Vulnerability Management
- CIS Control #8: Audit Log Management
- CIS Control #9: Email and Web Browser Protections
- CIS Control #10: Malware Defenses
- CIS Control #11: Data Recovery
- CIS Control #12: Network Infrastructure Management
- CIS Control #13: Network Monitoring and Defense
- CIS Control #14: Security Awareness and Skills Training
- CIS Control #15: Service Provider Management
- CIS Control #16: Application Software Security
- CIS Control #17: Incident Response Management
- CIS Control #18: Penetration Testing
WHAT YOU WILL RECEIVE
- MP3 audio files of the complete course lecture
- Printed and Electronic Courseware
WHAT TO TAKE NEXT
"As we've had the opportunity to talk with information assurance engineers, auditors, and managers over the past ten years, we've seen frustration in the eyes of these hardworking individuals who are trying to make a difference in their organizations by better defending their data systems. It has even come to the point where some organizations have decided that it's simply too hard to protect their information, and many have started to wonder, is the fight really worth it? Will we ever succeed? We see companies and agencies making headway, but the offense keeps pushing. The goal of this course is to give direction and a realistic hope to organizations attempting to secure their systems.
The SANS course, SEC440: CIS Critical Controls: A Practical Introduction, offers direction and guidance from those in the industry who think through the eyes of the attacker as to what security controls will make the most impact. What better way to play defense than by understanding the mindset of the offense? By implementing our defense methodically and with the mindset of a hacker, we think organizations have a chance to succeed in this fight. We hope this course helps turn the tide."
- James Tarala & Kelli K. Tarala
"Very detailed and easy to follow. This is exactly what I was looking for to wrap my head around the framework and understand it." - John Kowallkowski, Splunk