Meet John Gilligan. John Gilligan, the President of Gilligan Group, is a proven IT innovator with a strong blend of leadership and operational experience.
The Cyber Security Commission formed to advise the incoming Administration released its recommendations on December 8th. John Gilligan co-authored the report.
Managing Complexity. In his government career, Mr. Gilligan successfully managed some of the most complex IT development and integration programs.

Resume

What are the Controls?


Consensus Audit Guidelines


PUBLISHED: February 23, 2009


NOTE: An updated version of this topic was published on November 13, 2009. For the latest up-to-date information, please visit the updated page

The detailed Consensus Audit Guidelines are posted at www.sans.org/cag along with detailed control descriptions, examples of attacks they stop or mitigate, how to automate them, and how to test them.

Below is the list of control names:


Critical Controls Subject to Automated Measurement and Validation:


  • 1.  Inventory of Authorized and Unauthorized Hardware.
  • 2.  Inventory of Authorized and Unauthorized Software.
  • 3.  Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
  • 4.  Secure Configurations of Network Devices Such as Firewalls And Routers.
  • 5.  Boundary Defense
  • 6.  Maintenance and Analysis of Complete Security Audit Logs
  • 7.  Application Software Security
  • 8.  Controlled Use of Administrative Privileges
  • 9.  Controlled Access Based On Need to Know
  • 10. Continuous Vulnerability Testing and Remediation
  • 11. Dormant Account Monitoring and Control
  • 12. Anti-Malware Defenses
  • 13. Limitation and Control of Ports, Protocols and Services
  • 14. Wireless Device Control
  • 15. Data Leakage Protection

Additional Critical Controls

These additional critical controls are not directly supported by automated measurement and validation.

  • 16. Secure Network Engineering
  • 17. Red Team Exercises
  • 18. Incident Response Capability
  • 19. Assured Data Back-Ups
  • 20. Security Skills Assessment and Training to Fill Gaps

The technical editor for the Consensus Audit Guidelines is Ed Skoudis, author of both Malware and Counter Hack Reloaded. Ed has trained more incident handlers and penetration testers, inside and outside government, than any other person and is often called to manage incident handling when major financial institutions or retailers have been breached.



Related Links