The Cyber Security Controls

We developed the fifty-four controls based on experience in the trenches. It includes expected areas such as firewall platforms and multi-factor authentication while also including rarely mentioned CISO strategies such as working with value-added solution providers and managed security service providers (MSSPs) and Managed Detection and Response (MDR) vendors. And, as you can see, the TAG Cyber Controls are presented in a way that allows visual inspection at a glance, which explains why many refer to it as the Periodic Table of Security.

Enterprise
Controls
1
Deception-Based
Security
2
Intrusion Detection/
Prevention
3
User Behavioral
Analytics
4
Data Leakage
Protection
5
Firewall
Platform
6
Application
Security
7
Web Application
Firewall
8
Web Fraud
Prevention
9
Web Security
Gateway
Network
Controls
10
Public Key
Infrastructure
11
Cloud Security
Solutions
12
DDOS
Security
13
Email
Security
14
Infrastructure
Security
15
Network
Monitoring
16
Network
Access Control
17
Secure Access/
Zero Trust
18
Attack Surface
Protection
Endpoint
Controls
19
Anti-Malware
Tools
20
Endpoint and
EDR Security
21
Hardware
Security
22
ICS/IoT
Security
23
SIEM
Platform
24
Mobile
Security
25
Password/Privilege
Management
26
Authentication
Security
27
Voice
Security
Governance
Controls
28
Digital Risk
Management
29
Crowdsourced
Security Testing
30
Cyber
Insurance
31
Governance, Risk,
Compliance (GRC)
32
Incident
Response
33
Penetration
Testing
34
Continuous Attack
Simulation
35
Identity and Access
Management
36
Threat
Intelligence
Data
Controls
37
Data
Privacy
38
Content
Protection
39
Secure File
Sharing
40
Data
Encryption
41
Digital
Forensics
42
Enterprise Asset
Inventory
43
DevOps
Security
44
Vulnerability
Management
45
Threat Hunting
Tools
Service
Controls
46
Research and
Advisory Services
47
Information
Assurance
48
MSSP and MDR
Services
49
Large Security
Consulting Firms
50
Small Security
Consulting Firms
51
Security
Staff Recruiting
52
Security Training
and Awareness
53
Advanced Security
R&D Support
54
Value-Added
Solution Providers

Applying the Controls

The practical usefulness of the fifty-four TAG Cyber security controls has been validated since 2016 by many enterprise teams who use the framework to identify gaps and optimize the selected controls for their security portfolio. The TAG Cyber team recommends that portfolio managers and consultants who assist enterprise teams with vendor selection make full use of the structure.

Ultimately, each enterprise will have to tailor its security architecture to its unique needs. Lager organizations, for example, will rarely need unified threat management (UTM) gateways for smaller networks, and companies that have little creative video, music, or written material will rarely need content protection. In general, however, the controls provide a useful guide for enterprise teams to measure the completeness of their program.

At the most basic level, portfolio managers would be wise to map their projects, vendors, and deployments to the TAG Cyber controls to get a general sense of coverage. If, for example, a gap is identified, then this helps drive a new project to identify suitable vendors that can address the missing protection. On the other hand, if the security program matches or is a super-set of the TAG Cyber controls, then this offers evidence that the portfolio managers have done a thorough job.