X hits on this document

Word document

Twenty Most Important Controls and Metrics for - page 6 / 48





6 / 48

3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

4: Secure Configurations of Network Devices Such as Firewalls and Routers.

5: Boundary Defense

6: Maintenance and Analysis of Complete Security Audit Logs

7: Application Software Security

8: Controlled Use of Administrative Privileges

9: Controlled Access Based On Need to Know

10: Continuous Vulnerability Testing and Remediation

11: Dormant Account Monitoring and Control

12: Anti-Malware Defenses

13: Limitation and Control of Ports, Protocols and Services

14: Wireless Device Control

15: Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

16.  Secure Network Engineering

17.  Red Team Exercises

18.  Incident Response Capability

19.  Data Recovery Capability


Security Skills Assessment and Training to Fill Gaps

In the pages that follow, each of these controls is described more fully.  Descriptions include how attackers would exploit the lack of the control, how to implement the control, and how to measure if the control has been properly implemented, along with suggestions regarding how standardized measurements can be applied.  As pilot implementations are complete and agencies get experience with automation, we expect the document to be expanded into a detailed audit guide that agency CIOs can use to ensure they are doing the right things for effective cyber defense and that IGs can use to verify the CIOs’ tests.

Insider Threats vs. Outsider Threats

A quick review of the critical controls may lead some readers to think that they are heavily focused on outsider threats and may, therefore, not fully deal with insider


Document info
Document views85
Page views85
Page last viewedWed Oct 26 15:21:39 UTC 2016