New version of 20 top security controls is available

Consensus Audit Guidelines can help agencies manage their security efforts

Version 2.3 of the Consensus Audit Guidelines, the top 20 critical security controls agreed on by a consortium of private and government security experts, has been released and is available on the Web site of the SANS Institute.

The consortium includes the National Security Agency, the U.S. Computer Emergency Readiness Team, and agencies from the departments of Defense, State and Energy, in addition to commercial forensics experts and white hat hackers. The controls are intended to help large enterprises prioritize and automate efforts to block known attacks and identify intrusions. They include 15 automated controls and five additional controls that cannot be automated to the same degree.

The automated controls include: complete inventories of hardware devices and software; secure configurations of networking and endpoint equipment; boundary defenses; maintenance, monitoring and analysis of audit logs; application software security; controls of administrative privileges and user access; vulnerability assessment and remediation; account monitoring and control; malware defenses; control of network ports, protocols and services; wireless controls; and data loss prevention.

The additional controls include secure network engineering, penetration testing, incident response, data recovery, and security skills assessment and training.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above