More On

Technology: 20 critical information security controls

The SANS Institute's Top 20 Critical Controls can help prioritize and fund information security initiatives

Information security programs are mandatory for certain industries and most government agencies. It can bewilder in-house counsel to navigate the many technical and administrative requirements. Fortunately, there are a number of resources to help. One framework, in particular, is gaining acceptance as a best practice for information security programs: the SANS Institute’s Top 20 Critical Controls. Both attorneys and management can use the SANS controls to prioritize and fund information security initiatives.

Following is a primer for nontechnologists on the objectives and benefits of each of the Top 20 Controls.

11. Limitation and control of network ports, protocols and services. Implementing this control removes many IT services that reach out to the Internet and respond to attackers by serving like a white pages or a fast-food drive-through window.

12. Controlled use of administrative privileges. Large organizations often have too much access inadvertently granted to too many people. The goal here is to limit powerful system access.

Contributing Author

author image

Matt Sorensen

Matt Sorensen CISSP, CIPP, CEDS is an attorney advising clients on security and privacy compliance, information governance, e-discovery and forensic investigations. He can be reached...

Bio and more articles

Contributing Author

author image

Matthew Richards

Matthew K. Richards provides general counsel services to clients, advising them on regulatory compliance, electronic discovery and records management, historical preservation and contract management. He...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.