A consortium of federal agencies and private organizations have released Version 1.0 of the Consensus Audit Guidelines (CAG) that define the most critical security controls to protect federal and contractor information and information systems.
For each of the 20 controls, the experts identified specific (actual) attacks that the control stops or mitigates, illuminated best practices in automating the control (for 15 controls that can be automated)and defined tests that can determine whether each control is effectively implemented. The resulting document is called the Consensus Audit Guidelines and, once fully vetted, is expected to become the standard baseline for measuring computer security in organizations that are likely to be under attack.
Twenty critical security controls were agreed upon by knowledgeable individuals from the groups listed above. The list of controls includes fifteen that are able to be validated in an automated manner and five that must be validated manually.
Critical Controls Subject to Automated Measurement and Validation:
- Inventory of Authorized and Unauthorized Hardware.
- Inventory of Authorized and Unauthorized Software.
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
- Secure Configurations of Network Devices Such as Firewalls and Routers.
- Boundary Defense
- Maintenance and Analysis of Complete Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based On Need to Know
- Continuous Vulnerability Testing and Remediation
- Dormant Account Monitoring and Control
- Anti-Malware Defenses
- Limitation and Control of Ports, Protocols and Services
- Wireless Device Control
- Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
- Secure Network Engineering
- Red Team Exercises
- Incident Response Capability
- Data Recovery Capability
- Security Skills Assessment and Training to Fill Gaps
The full draft may be found at http://www.sans.org/cag/. The public review period runs through March 23, 2009.