successful attacks, identifying already-compromised machines, interrupting infiltrated attackers’ activities, and gaining information about the sources of an attack. These items are labeled as “Vis/Attrib.”
Hardened Configuration and Improved Information Security Hygiene: These aspects of various controls are designed to improve the information security stance of an organization by reducing the number and magnitude of potential security vulnerabilities as well as improving the operations of networked computer systems. Control guidelines in this category are formulated with the understanding that a well-managed network is a much harder target for computer attackers to exploit. Throughout this document, these items are labeled as “Config/Hygiene.”
Advanced: These items are designed to further improve the security of an organization beyond the other three categories. Organizations handling particularly sensitive networks and information that are already following all of the other controls should focus on this category. Items in this category are simply called “Advanced.”
In general, organizations should examine all twenty control areas against their current status and develop an agency-specific plan to implement the controls. Organizations with limited information security programs may want to address the “Quick Wins” aspects of the controls in order to make rapid progress and to build momentum within their information security program. On the other hand, controls identified as Advanced would typically be implemented to augment or extend controls in the other three categories of controls.
Why This Project Is So Important: Gaining Agreement among CISOs, CIOs and IGs
Federal Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) are charged with improving the state of information security across the Federal government. Moreover, they are spending increasing amounts of money to secure their systems. However, the complexity of securing their systems is enormous, and therefore there is a need to focus attention and resources on the most critical risk (and therefore the highest payoff) areas. In addition, CISOs and CIOs want and need specific guidance that can be consistently applied and upon which their performance in improving security can be consistently and fairly evaluated. At the same time, Federal Inspectors General (IGs) and auditors want to ensure that CIOs and CISOs are doing