SANS Top 20 is a list of the 20 most critical security controls that organizations should implement to protect their networks and systems from cyber attacks. The SANS Institute, a leading organization in the field of information security, developed this list based on years of research and analysis of real-world security incidents and vulnerabilities.

The 20 critical security controls are grouped into three main categories:

1. Basic Hygiene Controls: These are the foundational controls that every organization should implement to establish a basic level of security. They include:

• Inventory and Control of Hardware Assets
• Inventory and Control of Software Assets
• Continuous Vulnerability Management
• Controlled Use of Administrative Privileges
• Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• Maintenance, Monitoring, and Analysis of Audit Logs

2. Foundational Controls: These are the controls that build on the basic hygiene controls and are designed to protect against a broader range of threats. They include:

• Email and Web Browser Protections
• Malware Defenses
• Limitation and Control of Network Ports, Protocols, and Services
• Data Recovery Capability
• Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Boundary Defense

3. Advanced Controls: These are the controls that organizations should implement to protect against the most sophisticated and advanced threats. They include:

• Penetration Testing
• Incident Response and Management
• Secure Network Engineering
• Application Software Security
• Wireless Access Control
• Data Security
• Security Skills Assessment and Appropriate Training to Fill Gaps

The SANS Top 20 is regularly updated to reflect changes in the threat landscape and new technologies. It is widely recognized as a comprehensive and effective framework for securing networks and systems.