Tuesday, February 24, 2009

The CAG

Otherwise known as the Consensus Audit Guidelines.

In summary: Do everything we've been telling you to do. Identify -> Assess -> Secure -> Monitor -> Repeat.

See I just saved you two hours of reading.

But seriously, I suppose my main objection (from a very cursory review) is that now the technical controls that have generally been assessed using automated tools, will now be weighted more heavily than those which could conceivably be just as important.

Which is why we have (drum roll please ...) Risk Assessments. So that intelligent humans can decide for themselves which controls are more important than others in their environment.

Taking a step back, FIPS 199 (pdf) asks you to look to the 800-60. In the 800-60 (pdf), there is a lot of discussion around deciding what type of data you are processing, how sensitive is it, whose allowed to see it, who is isn't, etc. From that you are supposed to be able to extract a mystical level of concern for your data (Low, Moderate and High). In my career, I have only personally ever seen one (1) High system and that was for availability. The rest if you must know were/are Moderates.

As the auditor for the High system, we heavily weighted the Incident Response and Contingency Planning controls. We even had the authorizing authority and certification authority say they didn't want to *really* impose the High controls for most of the Technical family (gasp!). We call this a risk based decision. The risks for them were purely from a "keep the damn thing up for the love of all that is holy and good" perspective. But this isn't what I wanted to talk about, I think...

These boiled down "critical controls" are a dangerous thing, in my opinion. Anyone who has been put in a capacity to use/implement the guidelines, I imagine is having similar reactions. Because (again!) there is nothing new here. Now with more confusion because they are guidelines, like all the 800-series documents are guidelines.

Perhaps I will do a more detailed analysis and comment. For now, I find myself agitated and tired.

And they used the word "cyber" too much, MS-Word and OpenOffice don't even think it is a word.

1 comment:

Graydon McKee said...

I haven’t yet read the CAG so I can’t comment on that directly – YET.

I would like to comment on the high system that you mentioned. You understandably didn’t give much information but the scoping guidelines do allow the system owner to step back some controls based upon the security objective determination. Therefore if had a moderate, moderate, high (C,I,A) system you are permitted to step back the controls that deal with confidentiality and integrity to the moderate baseline but you would still have to implement the high baseline controls for availability. Now this is also provided that you adequately document this and reference the specific tailoring guidance from 800-53 and 53A. When I’ve done this in the past I literally repeat the same verbiage for every control that is stepped back. It gets a little repetitive but it does help out in the long run. (The system is still a High system though)

More comments to come as I have time to read the CAG.