The Critical Security Controls for Effective Cyber Defense version 5.0 was released for public comment at the beginning of this month by the Council on Cybersecurity. These controls represent 20 areas that organizations should regard when putting together their security programs, and provides guidance on how to measure the presence, appropriateness, and effectiveness of technology and procedural controls for each area.
While there are many cyber security standards, regulations, and guidelines, these controls provide a good foundation to develop controls than can be mapped to your industry or organizational security and privacy requirements. Rick Doten, DMI Chief Information Security Officer (CISO), is a member of the panel to update and maintain these controls.
Generally, this version has been organized to be more convenient to use as a reference, with more clear headings and the use of tables. One of the major updates to the controls is to make it appeal to a broader audience of organizations, where it was initially very US Government centric relating to NIST standards and other federal requirements. The Council has also provided input on how to incorporate a risk-based approach to apply these controls in a staged basis to account for different levels of maturity among organizations. We welcome security and privacy professionals from all industries and nations to provide input and comment. The finalized version of these controls will be announced at the RSA Conference in San Francisco the last week of February.