Cybersecurity audit guidelines recommended

A group of cybersecurity experts today recommended twenty specific security controls that the government and industry should deploy to block or lessen the consequences of cyberattacks that come from inside and outside threats. The recommended controls are meant to provide a standard baseline for measuring computer security.

The recommendations, the Consensus Audit Guidelines, were agreed to by federal and private industry cybersecurity officials and are based on specific experiences in dealing with particular attacks directed at government and the defense industrial base’s information systems. The group also detailed the types of cyberattacks that a recommended security controls could thwart, how a recommended security control could be implemented and how to evaluate its effectiveness.

Alan Paller, the director of research at the SANS Institute who worked on the guidelines, said the strategy is significant because it has specific actions for agencies to take and a way to measure their effectiveness, something he said the Government Accountability Office has been requesting. He said the project, started in early 2008, was inspired by the realization that the defense industrial base’s systems had been deeply penetrated.

“The fundamental error that was made in federal cybersecurity was asking people who had never understood the offense to tell us how to defend our systems,” he added.

The group of officials said the guidelines are meant to provide a set of security control activities that chief information security officers, chief information officers and inspectors general can agree on for evaluating the security of information systems. Although the guidelines are directed at federal agencies, the group said the guidelines are also relevant for systems run by academia and the private sector.

The team that crafted the guidelines was comprised of officials from the Defense and Homeland Security departments, the National Security Agency, The SANS Institute, GAO and labs of the Energy Department.

The guidelines are part of an ongoing effort through the Center for Strategic and International Studies to implement the recommendations of CSIS’ Commission on Cyber Security for the 44th Presidency that were released in December. The recommendations also come during the Obama administration’s ongoing 60-day review of the government’s overall cybersecurity efforts.

Fifteen of the recommended baseline security controls can be monitored automatically and five of the controls would need to be implemented manually. The controls are categorized as steps that can produce “quick wins” to improve cybersecurity, those that would specifically improve visibility and attribution, controls meant to improve an organization’s information security posture, as well as more advanced controls.

The public is being asked to review the guidelines and provide suggestions over the next thirty days; the recommended audit guidelines also will be compared with other audit existing standards. In addition, several federal agencies will also be conducting pilots to test the value of using the guidelines and the CIO Council, as well as the Federal Audit Executive Council also will be reviewing the recommended controls, the group said.

Additions will be made to the guidelines as needed and the National Institute of Standards and Technology is providing explanation on how the recommended guidelines fit with its existing high-level information security control guidance.

The controls that make up guidelines include:

  • Inventories of authorized and unauthorized hardware and software that is used.
  • Secure configurations for hardware, software and network security devices.
  • Wireless device control and data leakage protection.
  • Defenses against malware.
  • Controlled access and administrative privileges.
  • Incident response and data recovery capabilities.
  • Training and security skill assessments for employees.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.