Control Analysis
Introduction
Control Analysis is about carving out those area that we control by technical, procedural, or physical means
Each of these fall into the category of detective, preventitve, or reactive.
However, the CIS Controls, formerly the 20 Critical Security Controls by SANS, encompass 18 major areas and map to various frameworks such as NIST 800-53, the NIST Cybersecurity Fundamentals, and others.
The CIS controls consist of
| Control | Title |
|---|---|
| CIS Control 1 | Inventory and Control of Enterprise Assets |
| CIS Control 2 | Inventory and Control of Software Assets |
| CIS Control 3 | Data Protection |
| CIS Control 4 | Secure Configuration of Enterprise Assets and Software |
| CIS Control 5 | Account Management |
| CIS Control 6 | Access Control Management |
| CIS Control 7 | Continuous Vulnerability Management |
| CIS Control 8 | Audit Log Management |
| CIS Control 9 | Email and Web Browser Protections |
| CIS Control 10 | Malware Defenses |
| CIS Control 11 | Data Recovery |
| CIS Control 12 | Network Infrastructure Management |
| CIS Control 13 | Network Monitoring and Defense |
| CIS Control 14 | Security Awareness and Skills Training |
| CIS Control 15 | Service Provider Management |
| CIS Control 16 | Application Software Security |
| CIS Control 17 | Incident Response Management |
| CIS Control 18 | Penetration Testing |
For Information Systems, NIST 800-53 Security and Privacy Controls, is the authoritative source of possible controls and can be equally applied to technical, procedural, and policy controls, all 257 categories of version five. STIG Viewer breaks these down for us very nicely.