Consensus audit guidelines

Consensus audit guidelines

The Twenty Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG) is a publication of best practice guidelines for computer security. The project was initiated early in 2008 as a response to extreme data losses experienced by organizations in the US defense industrial base.[1] The publication can be found on the SANS Institute website.



The Consensus Audit Guidelines were compiled by a consortium of more than 100 contributors[2] from US government agencies, commercial forensics experts and pen testers.[3] Authors of the initial draft include members of:

  • US National Security Agency Red Team and Blue Team
  • US Department of Homeland Security, US-CERT
  • US DoD Computer Network Defense Architecture Group
  • US DoD Joint Task Force – Global Network Operations (JTF-GNO)
  • US DoD Defense Cyber Crime Center (DC3)
  • US Department of Energy Los Alamos National Lab, and three other National Labs.
  • US Department of State, Office of the CISO
  • US Air Force
  • US Army Research Laboratory
  • US Department of Transportation, Office of the CIO
  • US Department of Health and Human Services, Office of the CISO
  • US Government Accountability Office (GAO)
  • MITRE Corporation
  • The SANS Institute[1]


The Consensus Audit Guidelines consist of 20 key actions, called security controls, that organizations should take to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them.[4] The security controls give no-nonsense, actionable recommendations for cyber security, written in language that’s easily understood by IT personnel.[5] Goals of the Consensus Audit Guidelines include to:

  • Leverage cyber offense to inform cyber defense, focusing on high payoff areas,
  • Ensure that security investments are focused to counter highest threats,
  • Maximize use of automation to enforce security controls, thereby negating human errors, and
  • Use consensus process to collect best ideas.[6]


Version 3.0 was released on April 13, 2011 and consists of the following security controls.

  • Critical Control 1: Inventory of Authorized and Unauthorized Devices
  • Critical Control 2: Inventory of Authorized and Unauthorized Software
  • Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  • Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • Critical Control 5: Boundary Defense
  • Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
  • Critical Control 7: Application Software Security
  • Critical Control 8: Controlled Use of Administrative Privileges
  • Critical Control 9: Controlled Access Based on the Need to Know
  • Critical Control 10: Continuous Vulnerability Assessment and Remediation
  • Critical Control 11: Account Monitoring and Control
  • Critical Control 12: Malware Defenses
  • Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
  • Critical Control 14: Wireless Device Control
  • Critical Control 15: Data Loss Prevention
  • Critical Control 16: Secure Network Engineering
  • Critical Control 17: Penetration Tests and Red Team Exercises
  • Critical Control 18: Incident Response Capability
  • Critical Control 19: Data Recovery Capability
  • Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps[3]

Controls 16 through 20 differ from the others because they cannot be automated.[2]

Notable results

Starting in 2009, the US Department of State began supplementing its risk scoring program in part using the Consensus Audit Guidlines. According to the Department's measurements, in the first year of site scoring using this approach the department reduced overall risk on its key unclassified network by nearly 90 percent in overseas sites, and by 89 percent in domestic sites.[7]


External links

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Economic Affairs — ▪ 2006 Introduction In 2005 rising U.S. deficits, tight monetary policies, and higher oil prices triggered by hurricane damage in the Gulf of Mexico were moderating influences on the world economy and on U.S. stock markets, but some other… …   Universalium

  • Configuration management — Top level Configuration Management Activity model Configuration management (CM) is a field of management that focuses on establishing and maintaining consistency of a system or product s performance and its functional and physical attributes with …   Wikipedia

  • Electroconvulsive therapy — Intervention ICD 10 PCS GZB ICD 9 CM 94.27 …   Wikipedia

  • United States — a republic in the N Western Hemisphere comprising 48 conterminous states, the District of Columbia, and Alaska in North America, and Hawaii in the N Pacific. 267,954,767; conterminous United States, 3,022,387 sq. mi. (7,827,982 sq. km); with… …   Universalium

  • United Kingdom — a kingdom in NW Europe, consisting of Great Britain and Northern Ireland: formerly comprising Great Britain and Ireland 1801 1922. 58,610,182; 94,242 sq. mi. (244,100 sq. km). Cap.: London. Abbr.: U.K. Official name, United Kingdom of Great… …   Universalium

  • Wikipedia:Glossary — Welcome to Wikipedia, which anyone can edit. Help index: Ask questions · Learn wikicode · View FAQ · Read Glossary · Live Wikipedia editing related help via web chat  …   Wikipedia

  • Clinical trial — Clinical trials are a set of procedures in medical research and drug development that are conducted to allow safety (or more specifically, information about adverse drug reactions and adverse effects of other treatments) and efficacy data to be… …   Wikipedia

  • Dodd–Frank Wall Street Reform and Consumer Protection Act — Full title An Act to promote the financial stability of the United States by improving accountability and transparency in the financial system, to end too big to fail , to protect the American taxpayer by ending bailouts, to protect consumers… …   Wikipedia

  • France — /frans, frahns/; Fr. /frddahonns/, n. 1. Anatole /ann nann tawl /, (Jacques Anatole Thibault), 1844 1924, French novelist and essayist: Nobel prize 1921. 2. a republic in W Europe. 58,470,421; 212,736 sq. mi. (550,985 sq. km). Cap.: Paris. 3.… …   Universalium

  • japan — japanner, n. /jeuh pan /, n., adj., v., japanned, japanning. n. 1. any of various hard, durable, black varnishes, originally from Japan, for coating wood, metal, or other surfaces. 2. work varnished and figured in the Japanese manner. 3. Japans,… …   Universalium