A group of federal agencies and private organizations, including the [U.S.] National Security Agency (NSA; Washington DC, USA), and the [U.S.] Department of Homeland Security (Washington DC, USA), has released the Consensus Audit Guidelines (CAG) as part of a larger effort on Cybersecurity backed by the Center for Strategic and International Studies (CSIS; Washington, DC, USA).
The CAG team is led by John Gilligan, formerly the Chief Information Officer (CIO) for the U.S. Air Force and the U.S. Department of Energy, and a member of the Obama transition team dealing with Information technology (IT) in the Department of Defense and other intelligence agencies. "We are in a war, a cyberwar, and the federal government is one of many large organizations that are being targeted. Our ability... to detect and defend against these attacks is really quite weak," Mr. Gilligan said.
CAG is also important in defending against data-breach liability litigation. These guidelines will be used to establish baseline cybersecurity standards to guide the courts and others involved in information defense.
The CAG are available on the SANS website (SysAdmin, Audit, Network, Security Institute, Bethesda, MD, USA), which is part of the team that developed the guidelines. CAG describes the 20 key actions in form of security controls that organizations should take to safeguard their computer systems. Inventories of authorized and unauthorized hardware and software should be kept. Secure configurations for hardware and software, and for network devices, such as firewalls and routers, should be used whenever possible. Boundary defense is important. Complete security audit logs should be maintained and routinely analyzed. Other protective measures are: application of software security; controlled use of administrative privileges; controlled access based on the need to know; continuous vulnerability testing and remediation; dormant account monitoring and control; anti-Malware defenses; limitation and control of ports, protocols, and services; wireless device control; and data leakage protection. Less clearly defined actions are: secure network engineering; red team exercises; incident response capability; assured data backups; and assessment of security skills with training to fill the gaps.
CAG is undergoing a six-step review process: 30 days of public comment, a pilot test, a CIO Council review, an inspector general review, control automation workshops, and comparison with existing audit regulations.
"This is the best example of risk-based security I have ever seen," said Alan Paller, director of research at the SANS Institute, "... representing the nation's most complete understanding of the risk faced by our systems. In the past, cybersecurity was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion into reality."
Related Links:
[U.S.] National Security Agency
[U.S.] Department of Homeland Security
Center for Strategic and International Studies (CSIS)
SysAdmin, Audit, Network, Security Institute (SANS)
