Friday, July 24, 2009

Top 20 List of Most Critical Cyber Security Controls

The twenty controls were agreed upon by by cyber security experts from various Federal Government agencies.

Note: The list of controls includes fifteen that are able to be validated in an automated manner and five that must be validated manually.

Consensus Audit Guideline Controls

Critical Controls Subject to Automated Measurement and Validation:

1: Inventory of Authorized and Unauthorized Hardware.

2: Inventory of Authorized and Unauthorized Software.

3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

4: Secure Configurations of Network Devices Such as Firewalls and Routers.

5: Boundary Defense 5

6: Maintenance and Analysis of Complete Security Audit Logs

7: Application Software Security

8: Controlled Use of Administrative Privileges

9: Controlled Access Based On Need to Know

10: Continuous Vulnerability Testing and Remediation

11: Dormant Account Monitoring and Control

12: Anti‐Malware Defenses

13: Limitation and Control of Ports, Protocols and Services

14: Wireless Device Control

15: Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

16. Secure Network Engineering

17. Red Team Exercises

18. Incident Response Capability

19. Data Recovery Capability

20. Security Skills Assessment and Training to Fill Gaps

The controls above were agreed upon by knowledgeable individuals from the Federal Government entities listed below.

Contributing Federal Groups:

  • Red team members in NSA tasked with finding ways of circumventing military cyber defenses
  • Blue team members at NSA who are often called in when military commanders find their systems have been compromised
  • US‐CERT and other non‐military incident response employees and consultants who are called upon by civilian agencies and companies to identify the most likely method by which the penetrations were accomplished
  • Military investigators who fight cyber crime
  • Cybersecurity experts at US Department of Energy laboratories and Federally Funded Research and Development Centers (FFRDCs).
  • DoD and private forensics experts who analyze computers that have been infected
  • Civilian penetration testers who test civilian government and commercial systems to find how they can be penetrated
  • Federal CIOs and CISOs who have intimate knowledge of cyber attacks
  • The Government Accountability Office (GAO)



No comments:

Post a Comment

Get Expert Advice!