Meet John Gilligan. John Gilligan, the President of Gilligan Group, is a proven IT innovator with a strong blend of leadership and operational experience.
The Cyber Security Commission formed to advise the incoming Administration released its recommendations on December 8th. John Gilligan co-authored the report.
Managing Complexity. In his government career, Mr. Gilligan successfully managed some of the most complex IT development and integration programs.

Consensus Audit Guidelines Announced

(Dec. 11, 2008) - The Consensus Audit Guidelines project is a collaborative effort between industry and government to identify the most critical security controls to defending our Nation’s cyber systems from attacks.

Currently work is underway to refine a draft document. It is expected to be released for public review and comment in January, 2009. There are six steps in the current draft guidelines:


    • (1.) Documenting problems with the current regime – irrefutable evidence
    • (2.) Prioritizing controls based on threat and impact – consensus and provable threat/impact
    • (3.) Finding tests that can be trusted to validate the controls
    • (4.) Gaining community-wide consensus
    • (5.) Gaining Federal CIO Council/Federal CISO adoption of these tests as core measures.
    • (6.) Continuing (i.e., quarterly) updates.


Background

1.What is the Consensus Audit Guidelines (CAG) Project?

The Consensus Audit Guidelines Project is a joint effort, by a broadly-based group of security and audit experts inside and outside government, to identify the core elements of security programs that:

(1) are essential because they can actually block or mitigate attacks that are hitting federal systems

(2) can be measured in a reliable way so that executives can rely on the conclusions.

2. Why Is It Needed?

people in lobbyFederal CIOs are required by the Federal Information Security Management Act (FISMA) to ensure that their agencies implement effective security controls. Additional guidance regarding implementation of FISMA has been provided by OMB and the National Institutes of Standards and Technology.

Nevertheless, there are significant weaknesses in the implementation of these mandates. As a result, many agencies have failed in ensuring effective security controls. Even those agencies who have gotten high grades from their Inspector Generals admit privately that the any two auditors reviewing their systems would come to different conclusions.

This is because the definition of the controls, as provided by NIST, is not sufficiently specific. The high grades were accomplished, in many cases, through negotiation with the Inspector Generals regarding subjective assessment criteria rather than through measurement of effective security against common, objective criteria. And whether their grades where high or low, every large agency has been deeply penetrated by unauthorized people.

One agency executive testified that he knew about the attacks but had no idea how far and how deep they had burrowed into the agency systems. In other words, while well intended, the current system is failing to achieve the objective of ensuring effective security.

A new way to identify controls that are most effective in deterring attacks as well as an objective way of measuring security is needed. The missing ingredient is an authoritative, specific and reliable answers to two questions:

(1.) Which controls do we need to install immediately to secure our systems and information adequately against current attacks? (i.e., Prioritized Controls)

(2.) How can we measure, on a continuous and objective basis, whether I have implemented those controls effectively? (i.e., Continuous and Objective Measures of Effectiveness)

This project is designed to provide those answers to these two questions.

3. Why now? The Changing FISMA Legislation

Capitol HillThe US Senate and House of Representatives are working toward a major revision of the Federal Information Security management Act (FISMA) that has a high probability of requiring that agencies prioritize the security controls and measure them continuously.

In other words, federal agencies may have an immediate need for the two answers. If so, this consensus project may be able to facilitate rapid, effective implementation of the new law.



Learn More

To promote ease of use in viewing and sharing: two documents are presented with embedded content at the end of this page. Direct links to both documents -- in PDF format and on the Slideshare page where the embedded content is hosted -- are provided below.

From John Gilligan

Ensuring Effective Security, the CIO's Dilemma (PDF)
Ensuring Effective Security, the CIO's Dilemma (PPT - On Slideshare)


From Alan Paller, Director of Research, SANS Institute

It is Time to Switch to Attack-based Metrics for FISMA Compliance (PDF)
It is Time to Switch to Attack-based Metrics for FISMA Compliance (PPT - On Slideshare)

Note that an Adobe reader plug-in to your browser is required for viewing these Portable Document Format (PDF) documents.



On Slideshare


Ensuring Effective Security The CIOs Dilemma 11 17 08
View SlideShare presentation or Upload your own. (tags: cyber-security cyber)


It is Time to Switch to Attack-based Metrics
View SlideShare presentation or Upload your own. (tags: policy technology)