A few weeks back in early January I summarized the CSIS recommendation to the President for improving Cyber Security. That article can be found at the Aurora Report blog located here: http://aurorareport.blogspot.com/2009/01/distilled-vol11-securing-cyberspace-for.html.
Now as time has progressed and President Obama has been inaugurated he has begun to review what to do about our national cybersecurity posture. His first step was to request a 60 day review of Cyber Security lead by Melissa Hathaway see interview here: http://www.schneier.com/blog/archives/2009/02/melissa_hathawa.html.
The Consensus Audit Guidelines have recently been posted for comments here http://www.sans.org/cag/print.php and are summarized below:
A consortium of US federal agencies have drawn up a list of critical security controls they hope will serve as a gold standard for cybersecurity.
The Consensus Audit Guidelines (CAG) list is part of larger plans to apply the CSIS Commission report on cybersecurity as a blueprint for making information security systems more secure.
Although these controls were drawn up by federal agencies they might be applied across diverse industry sectors from retailing, to banks, defense contractors and government agencies. The list resembles the guideline drawn up by the credit card industry for adherence to the PCI DSS, at least at first sight. Experts involved in the scheme argue that CAG is far more ambitious.
Critical security controls
1. Hardware audit.
2. Inventory of authorized and unauthorized Software.
3. Secure configurations for computers and servers
4. Secure configurations of network kits such as firewalls and routers.
5. Boundary defense
6. Maintenance of audit logs
7. Application software security
8. Application of administrative privileges
9. Access controls based on need to know
10. Continuous vulnerability testing and remediation
11. Dormant account monitoring and control
12. Anti-malware defenses
13. Limitation and control of ports, protocols and services
14. Wireless device control
15. Data leak protection
16. Secure network engineering
17. Red team exercises
18. Incident response capability
19. Data recovery
20. Security Skills Assessment and Training
The CAG concept Monday garnered backing from the National Security Agency, the Department of Homeland Security, various divisions with the Defense Department, the Department of Energy, the Department of Transportation, the Government Accountability office, MITRE Corp. and the SANS Institute.
Though agencies are restive about FISMA, Gilligan says they are intent on bringing agency inspector generals — as well as NIST and Congress — on board to prove CAG will work. To that end, agencies are working to set up "pilot sites" in their production networks where they can demonstrate how CAG controls would work in practice. "We want real-world examination of this for feedback," Gilligan notes.
The CAG alliance wants feedback on how its guidelines mesh with other government and industry security-compliance efforts, such as the Health Insurance Portability and Accountability Act (HIPAA) guidelines from the Department of Health and Human Services or the Payment Card Industry data standards.
Hope you find this information pertinent and useful.
No comments:
Post a Comment