SANS: 20 critical security controls you need to add

They include some obvious steps, such as getting a comprehensive inventory of all network devices and software, implementing secure hardware configurations and providing for data recovery, but also gets into areas that are less evident.

+More on Network World: Gartner: IT should simplify security to fight inescapable hackers+

Some of these items can be costly and include regularly scheduled assessments – penetration testing and red-team assessments, for example - so they require funding through annual security operating budgets.

Even if an organization can’t handle all 20, it’s a good list to include in a comprehensive set of goals that gets updated periodically as the threat landscape changes.

SANS offers a course on this, but here’s the list with links to recommended implementation steps:

1: Inventory of Authorized and Unauthorized Devices

2: Inventory of Authorized and Unauthorized Software

3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

4: Continuous Vulnerability Assessment and Remediation

5: Malware Defenses

6: Application Software Security

7: Wireless Access Control

8: Data Recovery Capability

9: Security Skills Assessment and Appropriate Training to Fill Gaps

10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

11: Limitation and Control of Network Ports, Protocols, and Services

12: Controlled Use of Administrative Privileges

13: Boundary Defense

14: Maintenance, Monitoring, and Analysis of Audit Logs

15: Controlled Access Based on the Need to Know

16: Account Monitoring and Control

17: Data Protection

18: Incident Response and Management

19: Secure Network Engineering

20: Penetration Tests and Red Team Exercises

(www.networkworld.com)