The Controls are specific guidelines that CISOs, CIOs, IGs, systems administrators, and information security personnel can use to manage and measure the effectiveness of their defenses.The 20 Critical Controls define 20 actionable items that form the basis of a workable IT Security strategy. These items provide you with a security architecture that maps to compliance requirements such as NIST 800-53, ISO 27002, PCI-DSS and elements of Continuous Monitoring and Detection which address 70-80% of known attack vectors. Implementing the 20 critical controls in your organization is a long term project. An important component of this implementation strategy is the ability to collect metrics to effectively measure progress. This presentation discusses the 20 critical controls, shows examples and provides you with some suggestions on where in your organization to get the information needed to implement the controls. For more detailed information on the 20 Critical Controls, sign up for SEC 566 \Implementing and Auditing the Critical Security Controls - In Depth" class taught by Randy Marchany in Scottsdale, AZ on 2/16-20/2015. Details are at https://www.sans.org/event/scottsdale-2015/course/implementing-auditing-critical-security-controls.""