Assessing & Implementing the CSIS
Top 20 Critical Security Controls

SEC-212

Securing the United States against cyber attacks has become one of the nation’s highest priorities. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against external attacks 

WHAT'S ON THIS PAGE?

GET QUOTE

Course Overview

COURSE LENGTH:
5-DAY


This course teaches you how to master the 20 Important Security Controls as published by the Center for Strategic and International Studies: http://csis.org/publication/twenty-important-controls-effective-cyber-defense-and-fisma-compliance
 
Securing the United States against cyber attacks has become one of the nation’s highest priorities. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against external attacks. Furthermore, for those external attacks that are successful, defenses must be capable of thwarting, detecting, and responding to follow-on attacks on internal networks as attackers spread inside a compromised network.

This consensus document of 20 crucial controls is designed to begin the process of establishing that prioritized baseline of information security measures and controls that can be applied across enterprise environments. The consensus effort that has produced this document has identified 20 specific technical security controls that are viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future. Fifteen of these controls can be monitored, at least in part, automatically and continuously.

The consensus effort has also identified a second set of five controls that are essential but that do not appear to be able to be monitored continuously or automatically with current technology and practices. Each of the 20 control areas includes multiple individual subcontrols, each specifying actions an organization can take to help improve its defenses.

The control areas and individual subcontrols described focus on various technical aspects of information security, with a primary goal of supporting organizations in prioritizing their efforts in defending against today’s most common and damaging computer and network attacks. Outside of the technical realm, a comprehensive security program should also take into account numerous additional areas of security, including overall policy, organizational structure, personnel issues (e.g., background checks, etc.), and physical security. To help maintain focus, the controls in this document do not deal with these important, but non-technical, aspects of information security. Organizations should build a comprehensive approach in these other aspects of security as well, but overall policy, organization, personnel, and physical security are outside of the scope of this document.
In summary, the guiding principles used in devising these control areas and their associated subcontrols include:

  1. Defenses should focus on addressing the most common and damaging attack activities occurring today, and those anticipated in the near future.
  2. Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks.
  3. Defenses should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible.
  4. To address current attacks occurring on a frequent basis against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense.

AS SEEN IN:

 

 

Learn from Experts in the field of Information Security:
We don't just have great instructors, our instructors have years of industry experience and are recognized as experts. InfoSec Institute instructors have authored many top selling Information Security books:

 

  • 5-Days Immersion in Security Policy
  • Industry-recognized & field-tested experts
FIND OUT PRICING
ON-SITES OFFERED
"Great instructor - thoroughly covered all topics with expertise. He focused our attention to the pertinent information. ... a great experience"

Jeremy J. Pearson,
Joint Staff, Pentagon

Hands-on Labs, Demos, and Instruction

In the InfoSec Institute 20 Critical Security Controls 2 day course, you will learn in detail with hands on lab examples and demos how to implement the 20 Critical Security Controls:

 

Critical Controls Subject to Automated Collection, Measurement, and Validation:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  4. Secure Configurations of Network Devices Such as Firewalls, Routers, and Switches
  5. Boundary Defense
  6. Maintenance and Analysis of Security Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based On Need to Know
  10. Continuous Vulnerability Assessment and Remediation
  11. Account Monitoring and Control
  12. Malware Defenses
  13. Limitation and Control of Network Ports, Protocols, and Services
  14. Wireless Device Control
  15. Data Loss Prevention

    Additional Critical Controls (not directly supported by automated
    measurement and validation):

  16. Secure Network Engineering
  17. Penetration Tests and Red Team Exercises
  18. Incident Response Capability
  19. Data Recovery Capability
  20. Security Skills Assessment and Training to Fill Gap

Top 20 Control Implementers learn more by doing, so hands-on problem solving is a primary component of this course. Expect to spend 50% of your time deep in hands-on lab work. You will learn a variety of open source and commercial products in this course.


Dates & Locations




Unfortuantely, no public enrollment courses currently match your criteria

Your name can be added to a wait list for an upcomming course, or we can schedule to run an On-Site course in your local area if you have 6 students or more. Complete the following form if you would like to recieve information concerning our wait list policy and/or On-Site training

Full Name:
Company:
Work Phone #:
Email:
Any questions we can answer?
(optional)
 

The best in the world come train with us

See what our students are saying

  • David P. Curly

    Senior Consultant

    Booz Allen Hamilton

    "a must for any true
    security professional"

    "This was a phenomenal class! The instructor was extremely knowledgeable and crafted the exercises so that we truly learned the material. I have a whole new appreciation for how vulnerabilities are exploited. I have gained very practical skills and knowledge in this class which will help me tremendously in my job. I will highly recommend this course to all of my co-workers. This class should be a must for any true security professional. There were several moments during the week when I was amazed at how vulnerable systems truly are. The practical labs and competition teams made the experience fun. I have learned some extremely valuable skills."


    Find out more

  • Adam Robertson.

    Experian

    "hands on lab exercises was the most enjoyable part"

    "Instructor was very knowledgeable and was able to explain a huge amount of information in a very short period of time. The course was very informative; doing the hands on lab exercises was the most enjoyable part of the course, as I found it to be the best way to learn."


    Find out more

  • Virgil Sabas

    SAIC

    "nice to have a dedicated training laptop provided"

    "I got a lot out of the real world scenarios presented in class. Jeremy is very knowledgeable in the field of penetration testing. Would definitely take classes again if he is the instructor. The course books are a great reference, and it was nice to have a dedicated training laptop provided by Infosec and not have to bring my own and waste time installing programs during class"


    Find out more

  • Rummy Dabgotra

    MTS Allstream

    "invaluable to my career"

    "Dan is an excellent instructor and incredibly knowledgeable. Great presenter and very helpful. The course was very intense but well structured. The hours were long but it really allows you to get your head wrapped around it. Slide notes were very good as well as the lab pre-info. The labs tied well into the course. The content and knowledge gained will be invaluable to my career."


    Find out more

Pricing

Call (866)-471-0059 or fill out this short form for current pricing

During the 5-day program, our instructors give you 100% of their time and dedication to ensure that your time
is well spent. You will receive an all-inclusive immersion experience by receiving your hotel stay and most meals

during your training experience; you eat, sleep and train at the learning facility with no distractions!


YOU ALSO GET

  • Course Materials, Pre-study

    Upon registration, InfoSec Institute will ship you targeted pre-study courseware that will enable you to get a jump on the material prior to the class. We also make available many free training resources, produced by our instructors: http://resources.infosecinstitute.com/

  • Class Guarantees!

    Small class size provides intimate learning setting not offered at any of our competitors.


    All meals, snacks and refreshments included. Snacks not included in Las Vegas courses.


    Lecture, Lab Exercise and Text book


GET YOUR QUOTE - INSTANTLY
OUR STUDENTS SAY:
InfoSec Institute has an excellent instructor and this is the best IT security class I have ever taken. His knowledge and method of teaching are unsurpassed.