InfoSec Philippines

Information Security, Technology News and Opinions

Posts Tagged ‘Audit’

CAG and Metricon 3 Slides

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 6, 2009

A few days ago, SANS and and a US consortium of FED agencies released the Consensus Audit Guidelines Draft 1.0. It is described as the “Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance”.

Some of these controls may be included in ISO 27001 implementations to complement controls found in 27002 since 27001 has been criticized for not having enough controls regarding Web App Security and Wireless Security. Take note that these controls are specific and technology based.

The controls are as follows:
Critical Control 1: Inventory of authorized and unauthorized hardware.
Critical Control 2: Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
Critical Control 3: Secure configurations for hardware and software on laptops, workstations, and servers.
Critical Control 4: Secure configurations of network devices such as firewalls, routers, and switches.
Critical Control 5: Boundary Defense
Critical Control 6: Maintenance, Monitoring and Analysis of Complete Audit Logs
Critical Control 7: Application Software Security
Critical Control 8: Controlled Use of Administrative Privileges
Critical Control 9: Controlled Access Based On Need to Know
Critical Control 10: Continuous Vulnerability Testing and Remediation
Critical Control 11: Dormant Account Monitoring and Control
Critical Control 12: Anti-Malware Defenses
Critical Control 13: Limitation and Control of Ports, Protocols and Services
Critical Control 14: Wireless Device Control
Critical Control 15: Data Leakage Protection
Critical Control 16: Secure Network Engineering
Critical Control 17: Red Team Exercises
Critical Control 18: Incident Response Capability
Critical Control 19: Data Recovery Capability
Critical Control 20: Security Skills Assessment and Appropriate Training To Fill Gaps

A related article in GCN states that CAG is not a substitute for FISMA guidance. The NIST will also be finishing the 3rd revision of their SP800-53 (Recommended Security Controls for Fed Info Systems and Orgs) revision soon and comments will be closed by March 27. The current drafts can be found here.

Metricon 3 Slides
Metricon 3 slides have been out for since July 2008, but since I haven’t posted them here, I’m including a link here.

My favorites are:
Sandy Hawke’s Bringing Metrics into the Enterprise, Kevin Peuhkurinen’s Balanced Scorecard Approach to InfoSec Metrics, Caroline Wong’s Global Information Security Metrics, and Yolanta Beres’ Security Analytics Driving Better Metrics.

Site News
Since you’ve probably noticed, I’ve added Search to the site and changed the Theme. I’ve also updated links in ISMS and Security Metrics.

Posted in ISMS, Metrics | Tagged: , , , | 2 Comments »