CAG's 20 high-priority areas

The Consensus Audit Guidelines includes 15 controls that can be validated in an automated manner and five that must be validated manually.

LEAD STORY: CAG plays complementary role on security

The critical controls subject to automated measurement and validation are:

  • Inventory of authorized and unauthorized hardware
  • Inventory of authorized and unauthorized software
  • Secure configurations for hardware and software on laptops, workstations and servers
  • Secure configurations of network devices such as firewalls and routers
  • Boundary defense
  • Maintenance and analysis of complete security audit logs
  • Application software security
  • Controlled use of administrative privileges
  • Controlled access based on need-to-know
  • Continuous vulnerability testing and remediation
  • Dormant account monitoring and control
  • Anti-malware defenses
  • Limitation and control of ports, protocols and services
  • Wireless device control and
  • Data leakage protection

The additional critical controls — not directly supported by automated measurement and validation — are:

  • Secure network engineering
  • Red-team exercises
  • Incident response capability
  • Data recovery capability and
  • Security skills assessment and training to fill gaps.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

inside gcn

  • digital key (wavebreakmedia/

    Encryption management in government hyperconverged IT networks

Reader Comments

Mon, Mar 9, 2009 Tom Murphy

nice to see application control and device control leverage whitelisting to block all unauthorized software and portable storage devices.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group