New version of 20 top security controls is available
Consensus Audit Guidelines can help agencies manage their security efforts
Version 2.3 of the Consensus Audit Guidelines, the top 20 critical security controls agreed on by a consortium of private and government security experts, has been released and is available on the Web site of the SANS Institute
The consortium includes the National Security Agency, the U.S. Computer Emergency Readiness Team, and agencies from the departments of Defense, State and Energy, in addition to commercial forensics experts and white hat hackers. The controls are intended to help large enterprises prioritize and automate efforts to block known attacks and identify intrusions. They include 15 automated controls and five additional controls that cannot be automated to the same degree.
The automated controls include: complete inventories of hardware devices and software; secure configurations of networking and endpoint equipment; boundary defenses; maintenance, monitoring and analysis of audit logs; application software security; controls of administrative privileges and user access; vulnerability assessment and remediation; account monitoring and control; malware defenses; control of network ports, protocols and services; wireless controls; and data loss prevention.
The additional controls include secure network engineering, penetration testing, incident response, data recovery, and security skills assessment and training.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.