To say the least, cybersecurity is an important topic for IT. As CIOs grapple with insuring the security of their overall IT environments, the topic of security metrics often comes up. How can schools be sure they are fully in compliance with FERPA, HIPAA, CIPA, and SOX? It needs to be stated right up front that cybersecurity is a far-ranging, multidimensional topic that unfortunately can’t be summed up or managed with a single set of metrics. That said, we often get questions about what metrics can be used to help with the task of managing security. Two toolsets that can be helpful in this endeavor include: the EDUCAUSE Core Data Survey and CIS Controls for Effective Cyber Defense.
The CIS Controls for Effective Cyber Defense originated in 2008 with the defense industry. This set of tools is variously known as “The CIS Top 20 Critical Security Controls”, “NSA Top 20 Controls”, and “The 20 Critical Controls”. Initially published by the SANS Institute, ownership was transferred to the Center for Internet Security (CIS) in 2015.
A useful aspect of the 20 Critical Controls is that they can be automated and a number of products are available to implement the testing, including: Extreme Security Information and Event Management (SIEM), Splunk, Tenable, and Qualys.
The Top 20 Critical Controls
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7: Email and Web Browser Protections
CSC 8: Malware Defenses
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 10: Data Recovery Capability
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12: Boundary Defense
CSC 13: Data Protection
CSC 14: Controlled Access Based on the Need to Know
CSC 15: Wireless Access Control
CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18: Application Software Security
CSC 19: Incident Response and Management
CSC 20: Penetration Tests and Red Team Exercises
Another valuable way to benchmark your IT security is with the EDUCAUSE Core Data Survey, specifically the information security maturity and deployment indices. The surveys are part of the EDUCAUSE Benchmarking Service (EBS). EDUCAUSE describes their Core Data Service as “a benchmarking service used by colleges and universities since 2002 to inform their IT strategic planning and management. The service comprises three parts: data collection via an annual survey, data access via a self-service reporting tool, and reports and analyses that summarize and analyze the submitted data.”
Additional Resources and Links
- Success Stories of Implementing the Controls – Short case studies about companies that implemented the Top 20 CIS Critical Security Controls, the benefits they incurred, and tips for other users.
- Get to know the CIS Critical Security Controls – An infographic describing the critical controls and where they came from.
- EDUCAUSE Center for Analysis and Research (ECAR) – The organization that provides the EDUCAUSE Core Data Survey
- Extreme Access Control - Multi-vendor solution that provides an unparalleled range of choices for fine grained network access control.
- Extreme Application Analytics - Network-Powered Application Analytics and Optimization solution that captures network data and aggregates, analyzes, correlates, and reports on it to enable better decision making and improved business performance.
- Extreme Management Center – Single pane of glass management system that provides wired/wireless visibility and control from the data center to the mobile edge.
- Extreme Security Analytics (SIEM) - Enterprise solution that consolidates log source event data from thousands of devices distributed across a network, storing every activity in its raw form, and then performing immediate correlation activities to distinguish the real threats from false positives.