CAG Critics

SANS has a course coming up in a few weeks in DC on implementing the Consensus Audit Guidelines. That caused me to take another look at www.sans.org/cag. Looks like they published an updated draft on May 9th. 2009. The name seems to have morphed from Consensus Audit Guidelines to 20 Critical Security Controls. What really drew my eye was the “critics” page.
The critics page contains solely glowing praise. Often that praise is from people who wrote the CAG. Maybe I’m taking “critics to literally, but I am reminded of the movie “critics” that write with the goal of their review being included in the advertising.
There has been plenty of criticism of the CAG.
Richard Bejtlich points out that it doesn’t help keep score, its controls are reactionary. Additionally its controls map to the already existing 800-53 so its redundant if you’re already doing that.
Guerilla CISO comments in LOLCats format. He also says “My initial impression is that CAG controls provide worthwhile recommendations but the framework for implementation needs development.” Even that sort of mild criticism is missing from SANS CAG Critics page. Then again in this post, he tears into it more thoroughly. (Thats a lot of blog mileage from the CAG. I should take a lesson.)
I’m starting to think the CAG (sorry now its CSC – Critical Security Controls) is like the SANS FBI Top 20. Its not written for me. Its written to get in the press. Its written for people who have no clue where to start. For me, I’m taking away some idea on how to proactively audit some of the CAG items, but the box is already checked in FISMA for those items so buying anything new is a tough sell right now.
I’m still going to try to get the company to send me to the 20 Critical Security Controls: Planning, Implementing and Auditing 2009. I just found the SANS CAG Critics page amusing.