CAG's 20 high-priority areas

The Consensus Audit Guidelines includes 15 controls that can be validated in an automated manner and five that must be validated manually.


LEAD STORY: CAG plays complementary role on security

The critical controls subject to automated measurement and validation are:

  • Inventory of authorized and unauthorized hardware
  • Inventory of authorized and unauthorized software
  • Secure configurations for hardware and software on laptops, workstations and servers
  • Secure configurations of network devices such as firewalls and routers
  • Boundary defense
  • Maintenance and analysis of complete security audit logs
  • Application software security
  • Controlled use of administrative privileges
  • Controlled access based on need-to-know
  • Continuous vulnerability testing and remediation
  • Dormant account monitoring and control
  • Anti-malware defenses
  • Limitation and control of ports, protocols and services
  • Wireless device control and
  • Data leakage protection

The additional critical controls — not directly supported by automated measurement and validation — are:

  • Secure network engineering
  • Red-team exercises
  • Incident response capability
  • Data recovery capability and
  • Security skills assessment and training to fill gaps.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.