SANS 於上周一公布了一份稱之為 Consensus Audit Guidelines (CAG) 的草案。這份集結各方資安專家(包含 NSA 的 Red & Blue Team、US-CERT、DoD與其他官方/民間的團體)意見的草案,主要希望列出資訊安全中最重要的20種控制措施,讓相關從事人員能夠有一個明確的指標可以知道有哪些事情需要去落實,又如何可以確認落實的程度。所以其中的15種控制措施,都可以也應該用自動化的方式,不斷地加以確認落實的程度。當然,除了可以當作從事人員的行動準則,同時也可以當作稽核的依據,所以稱之為 Consensus Audit Guidelines。
這20種控制措施分別為:
- Inventory of Authorized and Unauthorized Hardware.
- Inventory of Authorized and Unauthorized Software.
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
- Secure Configurations of Network Devices Such as Firewalls and Routers.
- Boundary Defense
- Maintenance and Analysis of Complete Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based On Need to Know
- Continuous Vulnerability Testing and Remediation
- Dormant Account Monitoring and Control
- Anti-Malware Defenses
- Limitation and Control of Ports, Protocols and Services
- Wireless Device Control
- Data Leakage Protection
以下5種控制措施必須透過人工的方式加以評估執行成效:
1. Secure Network Engineering
2. Red Team Exercises
3. Incident Response Capability
4. Data Recovery Capability
5. Security Skills Assessment and Training to Fill Gaps
值得一提的是,在執行這些建議的控制措施之前,單位自己還是無法規避針對資安政策發展這類管理的基本功。這是為了真正有效落實控制措施的先決條件,甚至可以說是凝聚共識的前置作業。最後,此草案的控制措施可看作為 NIST SP 800-53 的子集合,並於本草案的附錄中列出了兩者之間的對應關係。