Cybersecurity audit guidelines recommended
A group of cybersecurity experts today recommended twenty specific security controls that the government and industry should deploy to block or lessen the consequences of cyberattacks that come from inside and outside threats. The recommended controls are meant to provide a standard baseline for measuring computer security.
The recommendations, the Consensus Audit Guidelines, were agreed to by federal and private industry cybersecurity officials and are based on specific experiences in dealing with particular attacks directed at government and the defense industrial base’s information systems. The group also detailed the types of cyberattacks that a recommended security controls could thwart, how a recommended security control could be implemented and how to evaluate its effectiveness.
Alan Paller, the director of research at the SANS Institute who worked on the guidelines, said the strategy is significant because it has specific actions for agencies to take and a way to measure their effectiveness, something he said the Government Accountability Office has been requesting. He said the project, started in early 2008, was inspired by the realization that the defense industrial base’s systems had been deeply penetrated.
“The fundamental error that was made in federal cybersecurity was asking people who had never understood the offense to tell us how to defend our systems,” he added.
The group of officials said the guidelines are meant to provide a set of security control activities that chief information security officers, chief information officers and inspectors general can agree on for evaluating the security of information systems. Although the guidelines are directed at federal agencies, the group said the guidelines are also relevant for systems run by academia and the private sector.
The team that crafted the guidelines was comprised of officials from the Defense and Homeland Security departments, the National Security Agency, The SANS Institute, GAO and labs of the Energy Department.
The guidelines are part of an ongoing effort through the Center for Strategic and International Studies to implement the recommendations of CSIS’ Commission on Cyber Security for the 44th Presidency that were released in December. The recommendations also come during the Obama administration’s ongoing 60-day review of the government’s overall cybersecurity efforts.
Fifteen of the recommended baseline security controls can be monitored automatically and five of the controls would need to be implemented manually. The controls are categorized as steps that can produce “quick wins” to improve cybersecurity, those that would specifically improve visibility and attribution, controls meant to improve an organization’s information security posture, as well as more advanced controls.
The public is being asked to review the guidelines and provide suggestions over the next thirty days; the recommended audit guidelines also will be compared with other audit existing standards. In addition, several federal agencies will also be conducting pilots to test the value of using the guidelines and the CIO Council, as well as the Federal Audit Executive Council also will be reviewing the recommended controls, the group said.
Additions will be made to the guidelines as needed and the National Institute of Standards and Technology is providing explanation on how the recommended guidelines fit with its existing high-level information security control guidance.
The controls that make up guidelines include:
- Inventories of authorized and unauthorized hardware and software that is used.
- Secure configurations for hardware, software and network security devices.
- Wireless device control and data leakage protection.
- Defenses against malware.
- Controlled access and administrative privileges.
- Incident response and data recovery capabilities.
- Training and security skill assessments for employees.
Ben Bain is a reporter for Federal Computer Week.