Posts RSS
Subscribe via Email
IKANHAZFIZMA Tackles the Consensus Audit Guidelines
Posted February 26th, 2009 by rybolov
CAG Fever… we haz it here at Guerilla-CISO. So far the konsensus is that CAG works well as a “Best Practices” document but not really as an auditable standard. We’re thinking that CAG will provide the rope with which our IGs and GAO will hang us.
Similar Posts:
Posted in IKANHAZFIZMA | 
3 Comments »
Tags: auditor • cag • FUD • gao • government • lolcats • pwnage • security
March 1st, 2009 at 1:21 am
CAG cannot be the rope that hangs, because it is purely the categories for the construction of the gallows. By that I mean there is no teeth within the 20 controls…it is purely like saying you will need nails, wood, rope, and so on, without the instructions to put it together. I think you will see that this is placed out to see what sticks.
This is not to say that there is not some good concepts within the list, but I think it will be difficult to hold agencies to this without placing specific procedures/mindsets and milestones that must be met in the normal day-to-day mission. Changing the mindset will be the only thing that can improve the security posture.
June 9th, 2009 at 6:11 pm
[…] Guerilla CISO comments in LOLCats format. He also says “My initial impression is that CAG controls provide worthwhile recommendations but the framework for implementation needs development.” Even that sort of mild criticism is missing from SANS CAG Critics page. Then again in this post, he tears into it more thoroughly. (Thats a lot of blog mileage from the CAG. I should take a lesson.) […]
June 6th, 2010 at 8:08 pm
[…] controls map to the already existing 800-53 so its redundant if you’re already doing that. Guerilla CISO comments in LOLCats format. He also says “My initial impression is that CAG controls provide […]