SANS – Confusion in the Top How Many?

Enterprise Security or Secure Solution program?

While discussing the SANS Top 20 Critical Controls a couple of weeks ago I ran into some confusion with an infosec partner about the number of controls we were talking about.  He referred to the Top 25 but I know from my training and certification that there are 20 controls.

As we delved into the differentiation we realized he was looking at the SANS Top 25 Most Dangerous Software Errors which depend on the Common Weakness Enumeration (CWE) numbering system.  My focus was on the broader Center for Internet Security (CIS)/SANS Top 20 Critical Security Controls, which are more comprehensively scoped in terms of enterprise security

The CIS/SANS Top 20 Critical Security Controls (CSC) are groups of controls that achieve layers of defense in information systems beyond software and solution assurance.

It’s important with the overloading of technology and business terms that we correctly scope our work and terminology to address the problems we are addressing.

It’s also important to differentiate between “program” as functions written in code and compiled to provide technical capability to users and systems from “program” used as a business initiative as in “Secure Software Assurance” which is a program owned and driven by one or more key stakeholder organizations within a business.