Public, Private Experts Create Security Guidelines (Opinion)

Cyber-security experts make consensus audit guidelines of security controls.

by / June 19, 2009

Psst! Hey, CIOs and chief information security officers (CISOs). Are you looking for an edge to give you more confidence in your cyber-security program? Something that will help you sleep better at night, become the envy of your colleagues and leap tall buildings in a single bound?

Would you like to stand in front of your boss and tell him or her with a high degree of certainty that you have a list of baseline information security controls that helped you block well known, high-priority cyber-security attacks? Sound intriguing? The answer might be the consensus audit guidelines (CAG).

Developed by nationally recognized cyber-security experts, CAG comprises 20 specific security controls. A rough draft of the security controls is online.

Based on knowledge of real-world attacks and known vulnerabilities that hackers exploit most frequently, CAG provides fundamental controls to defend the IT environment.

Alan Paller of the SANS Institute calls CAG a "defense that is informed by the offense." Some of these controls are so fundamental you may question why they are included in a document that seems to compete with the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST).

Although FISMA helped shine light on cyber-security, the subsequent NIST guidelines are very complex. Most people agree that NIST special publication, Recommended Security Controls for Federal Information Systems, is a comprehensive security document. Sadly many of them will also tell you it's too comprehensive, and compliance requires too many resources and too much time to fully implement.

So what happens to your agency while you trudge down the road to NIST compliance? Look at the FISMA report card, and you'll see why some agencies experience absolute and apoplectic angst each year it's released.

John Gilligan, CAG project leader and former CIO of the Air Force and Energy Department, made a compelling argument when he stated, "The problem for organizations trying to follow NIST's guidelines amid today's increasing cyber-threats is akin to confronting a raging new pandemic with an encyclopedic field guide to holistic health care."

This has been the view of many security professionals and makes me wonder if it's more important that security professionals be visionaries or practitioners? According to The American Heritage Dictionary, a practitioner is "one who practices something, especially an occupation, profession or technique," whereas a visionary is "one who is given to impractical or speculative ideas; a dreamer."

Ouch! Now I'm not saying NIST is for visionaries and CAG is for practitioners. That's far too simplistic. Those of us fighting cyber-huns and hackers need guidance that can be implemented with limited resources. CAG is a giant step in that direction.

Take a balanced approach and implement CAG while you continue a methodical saunter down the NIST path. With limited resources, it makes sense to do something with concrete results because threats aren't easing up.

Dan Mintz, former CIO of the U.S. Department of Transportation, said CAG "allows often resource-constrained organizations to both focus on the most critical priorities and to implement solutions that are both practical and important." In the interest of full disclosure, I'm looking hard at CAG but waiting to see the next revision and results of its automation tools workshops.

CAG isn't perfect, but when a diverse group of independent security experts from the public and private sectors gather to create CAG, you'd be foolish not to listen.

Are you listening CIOs and CISOs?


The views expressed are solely mine and nothing state in or implied from the article should or may be attributed to the state of California or any of its agencies or employees.


Mark Weatherford Contributing Writer

Mark Weatherford is the former chief information security officer of California. Weatherford now serves as vice president and chief security officer for the North American Electric Reliability Corp., an  organization whose mission is to ensure the reliability of the bulk power system of North America.