Consensus Audit Guidelines

By: Absolute Team | 3/11/2009

A consortium of federal agencies and private organizations announced the Consensus Audit Guidelines (CAG) last week. This list of 20 items defines the most critical security controls needed to protect federal and contractor information and information systems. These guidelines won't duplicate or replace existing federal IT security requirements, but rather supplement the standards (like FISMA).

The CAG initiative is part of a larger effort to advance recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency. The goal of the consortium was to come up with a risk-based standard to counter known forms of cyber attack. The 20 actions should help the government or private organizations mitigate or prevent cyber attacks. The controls cover areas including access controls, wireless security, data leakage and training. Each control details what threat it covers and how the control could be automated & tested for effectiveness.

20 Controls & Metrics for Effective Cyber Defense

  1. Inventory of authorized and unauthorized hardware.
  2. Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
  3. Secure configurations for hardware and software on laptops, workstations, and servers.
  4. Secure configurations of network devices such as firewalls, routers, and switches.
  5. Boundary Defense
  6. Maintenance, Monitoring and Analysis of Complete Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based On Need to Know
  10. Continuous Vulnerability Testing and Remediation
  11. Dormant Account Monitoring and Control
  12. Anti-Malware Defenses
  13. Limitation and Control of Ports, Protocols and Services
  14. Wireless Device Control
  15. Data Leakage Protection
  16. Secure Network Engineering
  17. Red Team Exercises
  18. Incident Response Capability
  19. Data Recovery Capability
  20. Security Skills Assessment and Appropriate Training To Fill Gaps

The CAG is still in draft and they are actively soliciting criticism and suggestions. You can learn more about how to contact them here for most of March. After a public review of the standards, pilots will be conducted in several federal agencies and the draft will be reviewed and audited.

Financial Services