Consensus audit guidelines

The Twenty Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG) is a publication of best practice guidelines for computer security. The project was initiated early in 2008 as a response to extreme data losses experienced by organizations in the US defense industrial base.[1] The publication can be found on the website of the SANS Institute.

Contributors

The Consensus Audit Guidelines were compiled by a consortium of more than 100 contributors[2] from US government agencies, commercial forensics experts and pen testers.[3] Authors of the initial draft include members of:

Goals

The Consensus Audit Guidelines consist of 20 key actions, called security controls, that organizations should take to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them.[4] The security controls give no-nonsense, actionable recommendations for cyber security, written in language that’s easily understood by IT personnel.[5] Goals of the Consensus Audit Guidelines include to:

Controls

Version 3.0 was released on April 13, 2011. Version 5.0 was released on February 2, 2014 by the Council on Cyber Security. [7] Version 6.0 was released on October 15, 2015 and consists of the security controls below. Version 6 has re-prioritized the controls and has added/deleted these two controls:

CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7: Email and Web Browser Protections
CSC 8: Malware Defenses
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 10: Data Recovery Capability
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12: Boundary Defense
CSC 13: Data Protection
CSC 14: Controlled Access Based on the Need to Know
CSC 15: Wireless Access Control
CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18: Application Software Security
CSC 19: Incident Response and Management
CSC 20: Penetration Tests and Red Team Exercises

Notable results

Starting in 2009, the US Department of State began supplementing its risk scoring program in part using the Consensus Audit Guidelines. According to the Department's measurements, in the first year of site scoring using this approach the department reduced overall risk on its key unclassified network by nearly 90 percent in overseas sites, and by 89 percent in domestic sites.[8]

Criticisms

It Costs Money

US Federal agencies do not have the money to both meet the FISMA requirements and attempt to meet the "Critical Control 20".

Designed to sell product

May see the controls as a list '"20 Pseudo-Critical Faux Controls for Technology Adoption." It's clear that this list exists to push more product'

Not metric-based

The controls have no method of measuring success

Licensing

Recently SANS places additional restrictions on Attribution and NoDerivatives, (Attribution-NoDerivs 3.0 Unported (CC BY-ND 3.0)), although this set of documents was created and supported by the community. In addition, the No Derivatives, restricts developers of security controls for other systems and protocols, to distribute that derivative to further benefit greater security community.

References

External links

This article is issued from Wikipedia - version of the Friday, November 27, 2015. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.