51. What is the Consensus Audit Guidelines (CAG) | 20 Critical Security Controls and why are information security policies and procedures so important today, and do you offer comprehensive I.T. security documentation?

The Consensus Audit Guidelines (CAG), also known as the 20 Critical Security Controls, is a publication of best practices relating to computer security that essentially encompasses twenty (20) core controls. Today’s growing cyber security threats are posing serious challenges for organizations regarding the confidentiality, integrity, and availability (CIA) of their networks, ultimately requiring comprehensive measures for protecting critical assets and infrastructure. What’s interesting to note about the 20 Critical Security Controls is the formation itself, which came about due to a collaborative effort amongst a number of well-known entities, such as United States government agencies, information security forensics experts, and others.

The result has been a set of controls viewed very favorably by the information security industry, thus setting the tone for a best practices approach that many organizations - both from a governmental and private sector perspective – actually adhere to. SANS, one of the world’s most well-known and respected information security research and educational institutions, publishes and updates the 20 Critical Security Controls (via versions), which can be found at http://www.sans.org/

Version 4.1 of the Consensus Audit Guidelines (CAG) | 20 Critical Security Controls are as follows:

  • Critical Control 1: Inventory of Authorized and Unauthorized Devices
  • Critical Control 2: Inventory of Authorized and Unauthorized Software
  • Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Critical Control 4: Continuous Vulnerability Assessment and Remediation
  • Critical Control 5: Malware Defenses
  • Critical Control 6: Application Software Security
  • Critical Control 7: Wireless Device Control
  • Critical Control 8: Data Recovery Capability
  • Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
  • Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
  • Critical Control 12: Controlled Use of Administrative Privileges
  • Critical Control 13: Boundary Defense
  • Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
  • Critical Control 15: Controlled Access Based on the Need to Know
  • Critical Control 16: Account Monitoring and Control
  • Critical Control 17: Data Loss Prevention
  • Critical Control 18: Incident Response and Management
  • Critical Control 19: Secure Network Engineering
  • Critical Control 20: Penetration Tests and Red Team Exercises

Security Policies | Essential to the 20 Critical Security Controls

When looking at these twenty (20) control areas – which have changed only slightly from one version to another – one important element is very clear: adherence to the stated best practices concepts requires a comprehensive amount of operational, business specific, and information security policies and procedures, no question about it. How can any framework be considered a true and viable working model without formalized and well-documented policies and procedures?

The FLANK21 set of operational and information security templates from FLANK is your answer, as organizations will receive literally hundreds of essential policies, procedures, forms, checklists, templates, provisioning and hardening documents – and more.