They include some obvious steps, such as getting a comprehensive inventory of all network devices and software, implementing secure hardware configurations and providing for data recovery, but also gets into areas that are less evident.
+More on Network World: Gartner: IT should simplify security to fight inescapable hackers+
Some of these items can be costly and include regularly scheduled assessments – penetration testing and red-team assessments, for example - so they require funding through annual security operating budgets.
Even if an organization can’t handle all 20, it’s a good list to include in a comprehensive set of goals that gets updated periodically as the threat landscape changes.
SANS offers a course on this, but here’s the list with links to recommended implementation steps:
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
4: Continuous Vulnerability Assessment and Remediation
6: Application Software Security
9: Security Skills Assessment and Appropriate Training to Fill Gaps
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11: Limitation and Control of Network Ports, Protocols, and Services
12: Controlled Use of Administrative Privileges
14: Maintenance, Monitoring, and Analysis of Audit Logs
15: Controlled Access Based on the Need to Know
16: Account Monitoring and Control
18: Incident Response and Management
19: Secure Network Engineering
20: Penetration Tests and Red Team Exercises