Meet John Gilligan. John Gilligan, the President of Gilligan Group, is a proven IT innovator with a strong blend of leadership and operational experience.
The Cyber Security Commission formed to advise the incoming Administration released its recommendations on December 8th. John Gilligan co-authored the report.
Managing Complexity. In his government career, Mr. Gilligan successfully managed some of the most complex IT development and integration programs.

Resume

Next Steps on Consensus Audit Guidelines


Version 1.0 Draft Document Released for Peer Review


PUBLISHED: February 23, 2009


NOTE: An updated version of this topic was published on November 13, 2009. For the latest up-to-date information, please visit the updated page

A six-pronged effort is moving the Consensus Audit Guidelines toward broad adoption:


  • 1. Public review: During the next 30 days, security professional around the world will be reviewing the CAG and providing comments. All suggestions for additions will be put through the same filter that made the CAG valuable in the first place: proposed controls must be provably able to stop or mitigate known attacks and the proposer must provide details of relevant real-world attacks. Comments can be made with or without attribution, but nothing gets added to the CAG unless it can be proven to significantly strengthen defense against real attacks.


  • 2. Pilot implementation: Pilots will be conducted in several federal agencies during this year to test the CAG for value and cost compared with what would have been done under the current practices that the agencies use.


  • 3. CIO Council Review: A security committee of the federal CIO Council will be reviewing the CAG to determine how it could be used on a broad basis to focus federal security expenditures.


  • 4. Inspector General Review: A team from the Federal Audit Executive Council will be reviewing the CAG to determine how it might allow auditors to provide reviews that more accurately measure the security of Federal systems.


  • 5. CAG Automation Tools Workshops: A series of workshops will be held in which federal users that have already automated controls identified in the CAG can present the lessons they have learned about what works and why. The result of the workshops will be requirements documents for automation of each of the fifteen controls that can be used by government procurement efforts such as the GSA SmartBuy program and by the DoD Enterprise Systems and Solutions Group to begin government-wide procurement of the necessary technologies.


  • 6. Global validation: During the comment period, the CAG will be closely compared with the audit guides for ISO 2700x, HIPAA, GLB, PCI, and SOX compliance testing to determine whether any of these include controls and tests that do a better job of blocking or mitigating known attacks.


    • Related Links