CAG's 20 high-priority areas
The Consensus Audit Guidelines includes 15 controls that can be validated in an automated manner and five that must be validated manually.
LEAD STORY: CAG plays complementary role on security
The critical controls subject to automated measurement and validation are:
- Inventory of authorized and unauthorized hardware
- Inventory of authorized and unauthorized software
- Secure configurations for hardware and software on laptops, workstations and servers
- Secure configurations of network devices such as firewalls and routers
- Boundary defense
- Maintenance and analysis of complete security audit logs
- Application software security
- Controlled use of administrative privileges
- Controlled access based on need-to-know
- Continuous vulnerability testing and remediation
- Dormant account monitoring and control
- Anti-malware defenses
- Limitation and control of ports, protocols and services
- Wireless device control and
- Data leakage protection
The additional critical controls — not directly supported by automated measurement and validation — are:
- Secure network engineering
- Red-team exercises
- Incident response capability
- Data recovery capability and
- Security skills assessment and training to fill gaps.
About the Author
Connect with the GCN staff on Twitter @GCNtech.