Let’s begin with a short story. Imagine that we have two large organizations in the public sector. These entities are very similar. Both are on the receiving end of cyber threats. Both adhere to multiple compliance standards. And both need to ensure that their IT systems are functioning and working as planned.

But they’re not entirely the same. Take Organization A, for example. This company has recently suffered a data breach, and its IT team is trying to figure out what happened and to plug holes. The organization is also working towards GPG 13 compliance while also trying to be PCI compliant; it needs to schedule a review of PCI policies towards that end.

Finally, the organization is struggling with the availability of its business-critical systems. Its teams keep trying to establish the root cause of this availability issue. However, doing so is proving to be time-consuming because the business processes involved suffer from a lack of accountability.

It’s an entirely different story for Organization B. This company has always been compliant, and it’s not worried about drift. When its business systems fail, it’s much easier for Organization B to figure out what happened and to quickly restore service.

All of this begs the question: how is it possible that Organization B is vastly different from Organization A? The answer is that the former is using foundational controls and the latter isn’t.

What Are Foundational Controls?

Foundational controls are basic measures that should ideally form the basis of any organization’s IT security posture. As such, they should constitute the foundation on which an organization bases the rest of its IT security strategy.

Let’s look at an example. In 2008, the SANS Institute developed a specific set of foundational controls before transferring them to the Center for Internet Security (CIS) in (Read more...)