IKANHAZFIZMA Tackles the Consensus Audit Guidelines

Posted February 26th, 2009 by

CAG Fever… we haz it here at Guerilla-CISO.  So far the konsensus is that CAG works well as a “Best Practices” document but not really as an auditable standard.  We’re thinking that CAG will provide the rope with which our IGs and GAO will hang us.

funny pictures



Similar Posts:

Posted in IKANHAZFIZMA | 3 Comments »
Tags:

3 Responses

  1.  VirtualMindshare Says:

    CAG cannot be the rope that hangs, because it is purely the categories for the construction of the gallows. By that I mean there is no teeth within the 20 controls…it is purely like saying you will need nails, wood, rope, and so on, without the instructions to put it together. I think you will see that this is placed out to see what sticks.

    This is not to say that there is not some good concepts within the list, but I think it will be difficult to hold agencies to this without placing specific procedures/mindsets and milestones that must be met in the normal day-to-day mission. Changing the mindset will be the only thing that can improve the security posture.

  2.  CAG Critics | Security Says:

    [...] Guerilla CISO comments in LOLCats format. He also says “My initial impression is that CAG controls provide worthwhile recommendations but the framework for implementation needs development.” Even that sort of mild criticism is missing from SANS CAG Critics page. Then again in this post, he tears into it more thoroughly. (Thats a lot of blog mileage from the CAG. I should take a lesson.) [...]

  3.  Roger's Information Security Blog » Blog Archive » CAG Critics Says:

    [...] controls map to the already existing 800-53 so its redundant if you’re already doing that. Guerilla CISO comments in LOLCats format. He also says “My initial impression is that CAG controls provide [...]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: