The Consensus Audit Guidelines (CAG) establish a baseline of 20 top priority security measures and controls that CIOs, CISOs, and IGs should focus on to guard against current and future attacks. Federal and private sector security experts collaborated to develop the CAG by analyzing the numerous attacks being actively and successfully launched against our nation’s federal and industrial base systems.
The CAG provide a priority list of essential security strategies and step-by-step actions to help focus efforts—but they do not reinvent the wheel. Rather the controls pull from some of the most important guidelines, standards, and requirements in U.S. government documents, including the NIST Special Publication 800-53. The 20 critical controls are mapped to the SP 800-53, Rev. 3 and correlate to the highest technical and operational threat areas for federal agency and private sector environments. They also serve as a primary basis for future security audits and evaluations. If an agency’s environment warrants further controls, the 800-53 should be used to identify additional required controls.
Public Sector Impact
Charged with improving the state of information security across the federal government, CIOs and CISOs want and need specific guidance that can be applied agency-wide, and upon which their performance can be consistently and fairly evaluated. To ensure that organizations are properly securing their systems, the CAG provide IGs and auditors with specific guidance on how to measure security. They also arm technical personnel with a specific set of activities that will aid them in defending against current and near-term attack vectors.
Private Sector Impact
The private sector shares many of the same cyber security issues as the federal government. Because today’s systems are interconnected, exfiltration of information is an area of great concern. Cyber attacks are organized, disciplined, and very aggressive. To address threats, many private sector companies must move to a risk-based protection architecture where their mission and business cases drive their security requirements, associated safeguards, and countermeasures.
The CAG are a first step toward providing specific audit guidelines that federal and private sector organizations can adopt to ensure that systems have baseline security controls in place. Businesses should examine all 20 control areas to assess their current status and develop an entity-specific security program. Implementation of a structured security framework like the CAG will help ensure that organizations are protecting themselves against the most significant attacks.
MORGANFRANKLIN SOLUTIONS
IT Security: IT security remains paramount for any organization dealing with confidential, private, or otherwise sensitive data and communications. Managing risk is not easy, but reputation and value can be preserved when you have a clear understanding of technology risks and an established plan to manage them wisely. To learn more about our IT Security services, download the PDF.
HOW WE CAN HELP
For more than a decade, MorganFranklin has led clients through the high-stakes maze of regulatory compliance, internal controls, enterprise risk management, and other financial, operational, and IT challenges. We deliver tailored programs that bring together your existing mix of risk applications, governance, decision-making structures, and best-of-breed systems. When it comes to technically intensive, time-sensitive, high-stakes, and high-reward risk management and IT needs, rely on MorganFranklin as a get-it-done partner.
To learn more about the CAG, please contact us at ITSecurity@morganfranklin.com