SANS Top 20 Security Controls and Risk Appetite-based Control Selection

SANS has, for years, published and maintained the Top 20 Critical Security Controls (now in version 4.1).  These 20 Critical Security Controls, whose origins go back beyond 2008, were implemented by the US State Department in 2009, leading apparently to an 88% reduction in vulnerability-based risk. This success led to the controls being more widely implemented across public and private sectors in the USA and, in 2011, the UK’s CPNI announced that the UK would also adopt the controls.

I see something of a face-off between two different approaches to information security risk:

  1. There is the ISO27001 approach which says, in essence, that controls should be selected on the basis of an asset-based risk assessment and only insofar as is necessary to assuage management’s appetite for risk; and
  2. The ‘baseline security’ approach, which says that there are certain risks which are so unavoidable that every organisation ought as a matter of course to adopt the relevant controls – irrespective of their implementation cost or management’s appetite for risk.

You could, of course, identify a parallel between the US approach to corporate governance (‘comply or get into very big trouble with regulators and everyone else’) and the UK’s approach (‘comply or explain’). Increasingly, I suspect, the US approach will become dominant – not because of anything intrinsically better about its American origins but just because it recognises (whether deliberately or not) that the Internet is a shared international infrastructure (like a highway) and that any organisation connected to it can damage all the others, whether it means to or not – rather like a motor vehicle which, because of its capacity for harm, has to be licenced, roadworthy and driven by a competent, licensed driver.

A poorly defended corporate network can be taken over by hackers and used to mount Distributed Denial of Service attacks. Ill-protected webservers and sites can be used as part of a pharming strategy, or to auto-download malware into the browsers of legitimate visitors. As multiple payment card and personal data breach headlines have proven, poorly-secured websites expose the data of unsuspecting users to malefactors the world over.

Private sector organisations that want to connect to government networks are increasingly told that they must first implement security controls which are aligned with the government’s appetite for cyber risk (which is quite low!) rather than their own. While many of the larger private sector organisations are still quite reticent about specifying minimum security controls required in their supply chain, it can only be a matter of time before this sort of practice becomes widespread.

I imagine that we will then see the two approaches to information security merging: most organisations will expect to have to adopt a minimum set of security controls, irrespective of their management’s risk appetite, and they will then select those additional controls which might be necessary to additionally mitigate their own business-specific legal, contractual or business risks.