If you’re like me, if you see/or hear about one more “set of controls,” “baselines,” “standards” or “frameworks,” you’ll tear your hair out. And scream
For my money, the PCI data security standards have the most realistic set of sensible requirements around; requirements that actually speak to most business IT environments.
Standards and frameworks do not give concrete requirements and actual actions worth taking. Even ‘Best Practices” gives out only a limited amount of respect. After all, who is the “Best,” and how do we know the practices are really any good?
So I take a lot of announcements along these lines with a grain of salt and/or a delete button. But SANS has released “Twenty Critical Security Controls” that have been vetted by both the audit and the IT Security sides of the house – thus something useful for everyone. A lot of real practitioners have worked on this one, and it shows.
Check it out! http://www.sans.org/critical-security-controls/