InfoSec Philippines

Information Security, Technology News and Opinions

CAG and Metricon 3 Slides

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 6, 2009

A few days ago, SANS and and a US consortium of FED agencies released the Consensus Audit Guidelines Draft 1.0. It is described as the “Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance”.

Some of these controls may be included in ISO 27001 implementations to complement controls found in 27002 since 27001 has been criticized for not having enough controls regarding Web App Security and Wireless Security. Take note that these controls are specific and technology based.

The controls are as follows:
Critical Control 1: Inventory of authorized and unauthorized hardware.
Critical Control 2: Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
Critical Control 3: Secure configurations for hardware and software on laptops, workstations, and servers.
Critical Control 4: Secure configurations of network devices such as firewalls, routers, and switches.
Critical Control 5: Boundary Defense
Critical Control 6: Maintenance, Monitoring and Analysis of Complete Audit Logs
Critical Control 7: Application Software Security
Critical Control 8: Controlled Use of Administrative Privileges
Critical Control 9: Controlled Access Based On Need to Know
Critical Control 10: Continuous Vulnerability Testing and Remediation
Critical Control 11: Dormant Account Monitoring and Control
Critical Control 12: Anti-Malware Defenses
Critical Control 13: Limitation and Control of Ports, Protocols and Services
Critical Control 14: Wireless Device Control
Critical Control 15: Data Leakage Protection
Critical Control 16: Secure Network Engineering
Critical Control 17: Red Team Exercises
Critical Control 18: Incident Response Capability
Critical Control 19: Data Recovery Capability
Critical Control 20: Security Skills Assessment and Appropriate Training To Fill Gaps

A related article in GCN states that CAG is not a substitute for FISMA guidance. The NIST will also be finishing the 3rd revision of their SP800-53 (Recommended Security Controls for Fed Info Systems and Orgs) revision soon and comments will be closed by March 27. The current drafts can be found here.


Metricon 3 Slides
Metricon 3 slides have been out for since July 2008, but since I haven’t posted them here, I’m including a link here.

My favorites are:
Sandy Hawke’s Bringing Metrics into the Enterprise, Kevin Peuhkurinen’s Balanced Scorecard Approach to InfoSec Metrics, Caroline Wong’s Global Information Security Metrics, and Yolanta Beres’ Security Analytics Driving Better Metrics.


Site News
Since you’ve probably noticed, I’ve added Search to the site and changed the Theme. I’ve also updated links in ISMS and Security Metrics.

Advertisements

2 Responses to “CAG and Metricon 3 Slides”

  1. Xander Solis said

    Jim,

    Nice posts. Would you have recommendations on a good book on security metrics?

    Regards,

    Xander

  2. Jaime Raphael Licauco, CISSP, GSEC said

    Thanks,

    I’ve been looking for this book by Andrew Jaquith, Security Metrics: Replacing Fear Uncertainty and Doubt, for quite some time now. Powerbooks doesn’t have it, I tried ordering but they couldn’t get it for me (this was early last year). Maybe Fully Booked can order it for you. There’s a book review of it here http://www.ieee-security.org/Cipher/BookReviews/2007/Jacquith_by_austin.html

    There’s a transcript of another interview here http://rationalsecurity.typepad.com/blog/2007/09/take5-episode-6.html

    Jaquith also gave a short interview here: http://media.libsyn.com/media/mckeay/NSP-RSA2008-AndrewJaquith.mp3 where he doesn’t talk about metrics, its security related though (mostly NAC) 🙂 Rich Mogull posted this.

    The above mentioned book review also mentions Hermann’s complete guide, which is pretty expensive. Jaquith’s book was published back in ’07 so there might be other newer books around that have built on it.

    I’m not sure if I’ve posted it but there was a podcast series last year on security metrics … I forgot where 🙂 In the meantime you can check out the podcasts on metrics by US CERT here http://www.cert.org/podcast/#measuringsecurity

    There’s a quick podcast on metrics here at CSO Online http://www.csoonline.com/podcast/221761/How_to_Connect_With_Metrics

    Hope that helps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: