Supervisors

Suitable for

Abstract

While these controls might be advantageous in many regards, they are often up against changing regulatory frameworks which place differing demands with respect to information security and privacy. One potential challenge is where these security control sets suggest best practice that is not in-line with regulatory requirements in the company’s industry or jurisdiction. This would lead to companies following key standards but failing to reach requisite levels of security. This is especially the case where standards suggest that certain controls are optional, when actually, they may be critical for a certain locale. The aim of this project will be to consider these issues with special emphasis on the CIS Top 20 Critical Security Controls (CSC) (version 6.1), and their context of use within Europe – particularly with the existing Data Protection Act and upcoming General Data Protection Regulation. Version 6.1 is of interest given that it is structured to have ‘foundational’ and ‘advanced’ controls, which allow companies flexibility that might not actually be afforded with current regulation in mind.