Information security programs are mandatory for certain industries and most government agencies. It can bewilder in-house counsel to navigate the many technical and administrative requirements. Fortunately, there are a number of resources to help. One framework, in particular, is gaining acceptance as a best practice for information security programs: the SANS Institute’s Top 20 Critical Controls. Both attorneys and management can use the SANS controls to prioritize and fund information security initiatives.
Following is a primer for nontechnologists on the objectives and benefits of each of the Top 20 Controls.
12. Controlled use of administrative privileges. Large organizations often have too much access inadvertently granted to too many people. The goal here is to limit powerful system access.