Privacy and Identity Theft

A consortium of federal agencies has released the first version of the Consensus Audit Guidelines that define the most critical cyber-security controls to protect federal and contractor information and systems.

The SANS website lists the 20 top items.

Whitelisting of authorized and unauthorized hardware and software is a key component of the list.

Anti-Malware defenses make the list, as does data leakage protection.

Section 7 of the Data Leak Prevention section calls out for automatic encryption of removable storage (such as USB flash drives) and portable storage (eg. laptops).

There is a public commentary period until March 23, 2009. I plan to provide some commentary regarding data encryption.

Agencies who were involved in the creation of this list of security controls include:

• US National Security Agency Red Team and Blue Team
• US Department of Homeland Security, US-CERT
• US DoD Computer Network Defense Architecture Group
• US DoD Joint Task Force – Global Network Operations (JTF-GNO)
• US DoD Defense Cyber Crime Center (DC3)
• US Department of Energy Los Alamos National Lab, and three other
National Labs.
• US Department of State, Office of the CISO
• US Air Force
• US Army Research Laboratory
• US Department of Transportation, Office of the CIO
• US Department of Health and Human Services, Office of the CISO
• US Government Accountability Office (GAO)
• MITRE Corporation
• The SANS Institute
• Plus Commercial penetration testing and forensics experts at InGuardians and Mandiant

This entry was posted on Monday, February 23rd, 2009 at 2:40 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.