X hits on this document

Word document

Twenty Most Important Controls and Metrics for - page 5 / 48

131 views

0 shares

0 downloads

0 comments

5 / 48

evaluations.  While aimed at government organizations, the principles and measures addressed in this document are also highly applicable to commercial and academic enterprises and should be usable within the commercial marketplace.  

What makes this document effective is that it reflects knowledge of actual attacks and defines controls that would have stopped those attacks from being successful.  To construct the document, we have called upon the people who have first-hand knowledge about how the attacks are being carried out:

1.

Red team members in NSA tasked with finding ways of circumventing military cyber defenses

2.

Blue team members at NSA who are often called in when military commanders find their systems have been compromised

3.

US-CERT and other non-military incident response employees and consultants who are called upon by civilian agencies and companies to identify the most likely method by which the penetrations were accomplished

4.

Military investigators who fight cyber crime

5.

Cybersecurity experts at US Department of Energy laboratories and Federally Funded Research and Development Centers (FFRDCs).

6.

DoD and private forensics experts who analyze computers that have been infected

7.

Civilian penetration testers who test civilian government and commercial systems to find how they can be penetrated

8.

Federal CIOs and CISOs who have intimate knowledge of cyber attacks

9.

The Government Accountability Office (GAO)

Consensus Audit Guideline Controls

Twenty critical security controls were agreed upon by knowledgeable individuals from the groups listed above.  The list of controls includes fifteen that are able to be validated in an automated manner and five that must be validated manually.

Critical Controls Subject to Automated Measurement and Validation:

1: Inventory of Authorized and Unauthorized Hardware.

2: Inventory of Authorized and Unauthorized Software.

5

Document info
Document views131
Page views131
Page last viewedThu Dec 08 20:37:09 UTC 2016
Pages48
Paragraphs617
Words15387

Comments