It is an open secret that the US government is perhaps the largest software customer in the country. If you or your company deal with any government agency, you will be aware of FISMA (Federal Information Security Management Act of 2002). Seeking to bolster the criteria of FISMA, several federal agencies and private companies have released the Consensus Audit Guidelines (CAG). There they list 20 criteria for cybersecurity that need to be implemented in your organisation in order to be FISMA compliant. The list runs as follows:
- Inventory of authorized and unauthorized hardware.
- Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
- Secure configurations for hardware and software on laptops, workstations, and servers.
- Secure configurations of network devices such as firewalls, routers, and switches.
- Boundary Defense
- Maintenance, Monitoring and Analysis of Complete Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based On Need to Know
- Continuous Vulnerability Testing and Remediation
- Dormant Account Monitoring and Control
- Anti-Malware Defenses
- Limitation and Control of Ports, Protocols and Services
- Wireless Device Control
- Data Leakage Protection
- Secure Network Engineering
- Red Team Exercises
- Incident Response Capability
- Data Recovery Capability
- Security Skills Assessment and Appropriate Training To Fill Gaps
Comments
Comments are closed for this post.