And to work together to make sure that testing is up to date and comparable, by agreeing on common metrics through:
“Establishing a of information security measures and controls that can be continuously monitored through automated mechanisms.”
This consensus document is designed to begin the process of establishing that prioritized baseline of information security measures and controls. The consensus effort that has produced this document has identified twenty specific security controls that are viewed as essential for blocking known high-priority attacks. Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that do not appear to be able to be monitored continuously or automatically with current technology and practices.
Additionally, the controls in this document are designed to support agencies and organizations that currently have various different levels of information security capabilities. To help organizations focus on achieving a sound baseline of security and then improve beyond that baseline, certain aspects of individual controls have been categorized as follows:
Quick Wins: These fundamental aspects of information security can help an organization rapidly improve its security stance generally without major process, organization, architecture, or technical changes to its environment. It should be noted, however, that a Quick Win does not necessarily mean that these controls provide protection against the most critical attacks. The intent of identifying Quick Win control areas is to highlight where security can be improved rapidly. These items are identified in this document with the label of “QW.”
Improved Visibility and Attribution: These controls focus on improving the process, architecture, and technical capabilities of organizations so that the organization can monitor their networks and computer systems, gaining better visibility into their IT operations. Attribution is associated with determining which computer systems, and potentially which users, are generating specific events. Such improved visibility and ability to determine attribution supports organizations in detecting attack attempts, locating the points of entry for