Earlier this year, a powerful consortium of security experts was “brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the consortium included NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.” Through their united and focused efforts twenty critical security controls were identified as being effective “in blocking currently known high-priority attacks, as well as those attack types expected in the near future.”

“The Twenty Critical Security Controls have already begun to transform security in government agencies and other large enterprises by focusing their spending on the key controls that block known attacks and finding the ones that get through. These controls allow those responsible for compliance and those responsible for security to agree, for the first time, on what needs to be done to make systems safer. No development in security is having a more profound and far reaching impact.”

“The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The US State Department, under CISO John Streufert, has already demonstrated more than 80% reduction in “measured” security risk through the rigorous automation and measurement of the Top 20 Controls.

Source: http://www.sans.org/critical-security-controls/