To NIST/SANS or not to NIST/SANS? That is the Cyber Question.
It has been said,“there are two types of organizations: those that have been hacked and those that will be hacked.” If your organization has not been the victim of a Ransomware demand, count yourself lucky.
There are many tactical frameworks available to prepare for such an event. The National Institute of Standards and Technology (NIST) and The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls) are among the best. These practices are a prioritized set of best practices created to stop the most pervasive and dangerous threats of today. It was developed by leading security experts from around the world and is refined and validated every year.
NIST was selected to develop the Framework because they are a non-regulatory federal agency that acts as an unbiased source of scientific data and practices, including cybersecurity practices. NIST has a long history of successfully addressing critical national issues through partnerships with industry, academia, and other government agencies. This kind of collaboration would be critical for the Framework to be successful. The Framework was, and continues to be, developed and promoted through ongoing engagement with, and input from, stakeholders in government, industry, and academia.
The CIS Controls are a set of prioritized actions that set out to answer the most fundamental question in cybersecurity – what do we need to do to stop known attacks? The Controls take leading threat data from forensic experts across all industries and transform it into actionable controls to achieve better overall cybersecurity defense.
As you probably know, simply being compliant is not enough to mitigate probable attacks and protect your critical information. While there's no silver bullet for security, organizations can reduce chances of compromise by moving from a compliance-driven approach to a risk management that is focused on real world effectiveness.
Implementing NIST or the CIS Top 20 Critical Security Controls is a great way protect your organization from some of the most common attacks.