SlideShare a Scribd company logo

Rapid7 CAG Compliance Guide

Rapid7
Rapid7

The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape. This compliance guide will provide readers with an overview of the requirements as well as suggested steps in achieving CAG compliance.

Technology
1 of 9
Download to read offline
Consensus Audit Guidelines (CAG) Compliance Guide September 2011
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com What is the CAG? The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The CAG was developed by a consortium of Federal government agencies and private sector partners, including such notable members as the Department of Defense, Department of Energy, FBI and US-CERT, National Institute of Standards and Technology (NIST) and the SANS Institute. Designed to protect critical IT systems from real-world attacks, the CAG goes beyond the annual compliance-driven audits and the checklist-focused approach found in the Federal Information Security Management Act (FISMA). The CAG provides Federal agencies with tools to prioritize critical IT security concerns as part of managing system design and operations rather than trying to manage security as an ad-hoc exercise on the side. The CAG has been mapped to FISMA controls, and has been leveraged by NIST to update the FISMA controls outlined in Special Publication SP 800-53. The CAG is also being used to update FISMA as part of the new U.S. Information and Communications Enhancement (ICE) Act. In the meantime, the consortium that developed the CAG is advising the use of the security controls CAG as a first step towards implementing the controls outlined in NIST’s SP 800- 53 guidelines for FISMA compliance. The mapping of CAG security controls to FISMA makes it possible to leverage standardization efforts like SCAP together with repositories of content like the National Vulnerability Database (NVD), enabling organizations to use automated tools for on-going infrastructure monitoring for vulnerabilities, mis-configurations and policy violations. This baseline data also helps auditors to perform the additional validation required to meet annual and quarterly compliance requirements. Using CAG provides a simple first step towards becoming compliant with current FISMA regulations, with the added benefit of getting aligned with the provisions in the ICE Act. However, the most important benefit provided by the CAG is real-world tested guidance on how to implement robust, proactive, continuous security control measures. The real goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape. Who needs the CAG? The CAG was originally designed to meet the needs of information technology providers for Federal government agencies and departments. However, studies of the cyber security threats to North American critical infrastructure revealed that private sector entities interact with more than 85% of the critical infrastructure in the United States. As a result, President Obama’s former interim Cyber Security Czar, Melissa Hathaway, recommended applying the same security guidelines to both public and private sector entities that utilize, manage, or run critical infrastructures. Critical infrastructure entities outside of the Federal government include organizations in Healthcare Services, Energy, Financial Services, Telecommunications and Transportation. CAG guidelines easily supplement and enhance the security requirements already needed to comply with regulations in these industries, including FISMA, NERC, PCI, GLBA and HIPAA. How Rapid7 Helps Rapid7 provides the only unified threat management solution to help organizations understand risk and adopt best practices to optimize their network security, Web application security and database security strategies. Rapid7 has extensive experience partnering with Federal departments and agencies, such as the U.S. Department of
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Energy, United States Postal Service (USPS), the National Nuclear Security Administration (NNSA), and the National Telecommunications and Information Administration (NTIA), to help them meet their regulatory requirements. Rapid7 security solutions help thwart real-world attacks by helping organizations apply the CAG’s twenty Critical Security Controls (CSC), also known as the SANS twenty Critical Security Controls. To meet CAG compliance, organizations must demonstrate adherence to the twenty CSCs as outlined below. Controls suited for automation Fifteen CSC categories are suited for automated collection, measurement and validation. Rapid7 Nexpose proactively automates the process of monitoring, measuring, validating, and prioritizing security threats for these CSC as follows: Control Rapid7 Solution CSC-1 Inventory of Authorized and Unauthorized Devices Enables administrators to build and manage an asset inventory by performing either manual or scheduled discovery scans. Automates the task of asset discovery and identification by scanning the entire infrastructure for all networked devices. Assembles an inventory of every system that has an IP address on the network, including databases, desktops, laptops, servers, subnets, network equipment (routers, switches, firewalls, etc.), printers, Storage Area Networks, and Voice-over- IP (VoIP) phones. Enables administrators to configure asset scanning and reporting using sites and asset groups based on specific criteria such as device type, software type, operating system type, or geographic location. Provides fully customizable policy scanning to determine presence of unauthorized devices in accordance with policies for whitelisting authorized devices and blacklisting unauthorized devices. Catalogs all devices in Nexpose as it scans and automatically sends alerts to administrators about any deviations from the expected inventory of assets on the network.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-2 Inventory of Authorized and Unauthorized Software Automates the task of asset discovery and identification by scanning and assembling an inventory of software on all networked devices in every system that has an IP address on the network anywhere in the entire infrastructure including servers, workstations and laptops. Provides automation in tracking types of operating systems and applications installed on each system, including versions and patch levels. Provides fully customizable policy scanning to establish baseline configurations to test the effectiveness of security measures, and determine presence of unauthorized software and services in accordance with policies for whitelisting authorized software and blacklisting unauthorized software. Catalogs all software as it scans, including any malicious software, by using the latest fingerprinting technologies to identify systems, services, and installed applications. Sends alerts automatically to administrators for any deviations from the expected inventory of assets on the network. CSC-3 Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Provides the ability to establish baseline configurations to validate the effectiveness of security policies in both test environments and production environments against the baseline condition by checking for presence of unauthorized devices in accordance with policies for whitelisting authorized devices and blacklisting unauthorized devices. Provides fully customizable Nexpose scanning templates to allow for policy scanning for Windows, Oracle and IBM systems. Provides flexible, customizable policy scanning to detect misconfigurations, identify missing patches against mitigating control policies, and apply risk scoring to measure violations against established desktop and server configuration management policies on servers, workstations, laptops, handheld devices, multiple classes of Web applications, and database applications including MS SQL Server, Oracle, MySQL, and DB2. Enables administrators to validate and report on adherence to configuration policies within the asset inventory by performing either manual or scheduled policy configuration scans.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-4 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Provides fully customizable policy scanning to detect misconfigurations, locate unnecessary services, find default accounts, identify missing patches against mitigating control policies, and apply risk scoring to measure violations against established configuration management policies for network devices, including firewalls, routers and switches. Provides fully customizable Nexpose scanning templates to allow for policy scanning in order to validate Windows firewall settings. Provides the ability to establish baseline configurations to validate the effectiveness of security policies in both test environments and production environments against the baseline condition by checking for presence of unauthorized network device configuration in accordance with policies for firewall rules, router access control lists, and IDS/IPS detection. CSC-5 Boundary Defense Provides fully customizable policy compliance framework to setup automated monitoring of port access policies. Provides fully customizable risk scoring, policy auditing, and vulnerability scanning to alert you of policy violations or misconfigurations, including validation of up-to- date firewalls, and IDS/IPS system patches. Includes option to use either a hosted scan engine through Rapid7’s Managed PCI Compliance Services, or your own external distributed scan engine outside your DMZ to perform external perimeter vulnerability scanning. CSC-6 Maintenance, Monitoring, and Analysis of Security Audit Logs Provides fully customizable policy compliance framework to setup automated monitoring of security audit log policies.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-7 Application Software Security Provides ability to perform on-going scheduled and ad-hoc scanning of Web applications for XSS and SQL injection. Enables Web form scanning using form- based authentication. Provides the ability to establish baseline configurations to validate the effectiveness of security policies after Web application changes in both test environments and production environments against the baseline condition by checking for security violations in Web applications, as well as in underlying database servers, including MS SQL Server, Oracle, MySQL, and DB2. Provides comprehensive unified vulnerability scanning of all vital systems to evaluate potential risks to operating systems, Web applications, databases, enterprise applications, and custom applications. Provides fully customizable policy compliance framework to setup automated monitoring of software policy settings, including Web browser patching levels, and configuration settings for Web applications, including their underlying database servers. Provides fully customizable risk scoring, policy auditing, and vulnerability scanning to alert you of policy violations or misconfigurations. CSC-8 Controlled Use of Administrative Privileges Provides ability to segregate administrative privileges using role based access control to limit vulnerability information to appropriate parties. Provides access to Rapid7 Risk Assessment Services to identify gaps in your security program, determine if security policies are being followed in actual day-to-day operations (i.e. policies for maintaining least privilege, segregation of duties, and patching on databases containing private data), and provide guidance on developing missing control policies and procedures required to secure private data from external threats. CSC-9 Controlled Access Based on Need to Know Provides ability to test servers to ensure access policies they are configured with the proper level of access control, including separation of duties for default and new accounts and configurations of servers to ensure they have been locked down to a least level of privilege.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-10 Continuous Vulnerability Assessment and Remediation Provides ad-hoc scans of newly introduced vulnerabilities so that you can immediately: o Scan for new vulnerabilities o View a report of all vulnerabilities found o View a records of new vulnerabilities added Provides the ability to define scan frequency , including the option to use randomized scanning, and high-speed parallel scanning (2-4 times faster than competitors), which enhances security by providing capacity for more frequent scans so your security team always has access to the most current data. Enables authenticated scanning in applications as well as in Web forms. Provides flexible, customizable policy scanning to detect misconfigurations, identify missing patches against mitigating controls or compensating control policies, and apply risk scoring to measure violations to establish trends against established baselines for all networked devices and software. Provides customizable policy scanning to establish baseline configurations, test effectiveness of security measures, and provide both executive and detailed analyst reports. The findings will include what authorized and unauthorized devices were discovered based on Nexpose templates configured to identify whitelist (authorized) and blacklist (unauthorized) devices. Provides customizable, prioritized risk scoring to customize severity levels for more accurate remediation reporting suited for your environment. Enables an easy integration of vulnerability and compliance management into existing business processes and IT systems such as GRC solutions like Archer, help desk, asset management and other security solutions via pre-built integrations and Rapid7’s Nexpose API. CSC-11 Account Monitoring and Control Enforces password policies through regular scheduled scanning and reporting. Uses our customized policy compliance framework to setup automated monitoring of passwords policies (including number of login attempts, password length, allowable special characters etc.). Provides monitoring software installation policies, and reports on illegal software installed on users’ system.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-12 Malware Defenses Catalogs all software as it scans, including any malicious software. CSC-13 Limitation and Control of Network Ports, Protocols, and Services Provides fully customizable policy scanning to monitor policy violations or misconfigurations of network ports, protocols, and services. CSC-14 Wireless Device Control Provides fully customizable policy scanning to monitor policy violations or misconfigurations of network ports, protocols, and services. Provides access to Rapid7 Wireless Audit Consulting Services to evaluate your wireless security controls on all wireless access points, identify gaps in your security program, determine if security policies are being followed in actual day- to-day operations, and provide guidance on developing missing control policies and procedures required to secure private data from unauthorized access. CSC-15 Data Loss Prevention Provides HIPAA scan template which detects PII data, or Social Security numbers, on Web pages for better patient privacy in medical institutions. To further enhance the HIPAA audit, the scan template can be configured to allow file searching so that if Nexpose gains access to an asset’s file system in the scanning process, it can search for, and retrieve, files in that system. For example medical offices cannot store patient data on local drives due to HIPAA regulations, so file searching can be useful for that purpose.  Provides ability to configure custom scan templates to search for specific data pattern in Web applications that indicate presence of PII that would lead to security violations. Provides automated mechanisms that increase the availability of incident response related information by providing details on potential vulnerabilities that were exploited, as well as remediation steps to prevent future exploits Provides continuous logging of historical scan data for use in disaster recovery and auditing. Provides access to Rapid7 Risk Assessment Services to provide guidance on development of incident management and disaster recovery program best practices for protecting personal information by evaluating security controls for modification of access rights, and providing guidance on developing missing control policies.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Controls not directly supported by automation Five CSC categories are not directly supported by automation. Rapid7’s Consulting Services has security experts to assist you in measuring and validating these CSC categories as follows: Control Rapid7 Solution CSC-16 Secure Network Engineering Provides access to Rapid7 Risk Assessment Services to evaluate your security controls, identify gaps in your security program, and provide guidance on incorporating secure network engineering best practices. CSC-17 Penetration Tests and Red Team Exercises Provides access to Rapid7 Penetration Testing Services to evaluate your security controls, perform internal and external testing, perform social engineering, identify gaps in your security program, and provide an actionable remediation plan. Provides access to Rapid7 Security Experts to determine if security policies are being followed in actual day-to-day operations, and provides guidance on developing missing control policies and procedures required to secure information systems and data from external threats. CSC-18 Incident Response Capability Provides automated end-to-end security solution to automatically document all security incidents and subsequent effects of vulnerability remediation to establish historical audit log record, including fully configurable automated notifications and ticketing system for customizable case escalation, ticket creation, and notification, including ability to integrate with third-party ticketing systems. Provides access to Rapid7 Security Experts to determine if security policies are being followed in actual day-to-day operations, and provides guidance on developing missing control policies and procedures required to secure information systems and data from external threats. CSC-19 Data Recovery Capability Provides access to Rapid7 Risk Assessment Services to evaluate if data recovery capabilities have been adequately embedded into security controls, and identify gaps in your security program. CSC-20 Security Skills Assessment and Appropriate Training to Fill Gaps Provides access to Rapid7 Risk Assessment Services to determine need for holistic vulnerability management security training by evaluating security awareness during penetration testing and social engineering exercises, followed by recommendations for security awareness training required as part of an integrated security management program. Contact us to find out more about how Rapid7 can help you incorporate the twenty CSCs of the CAG into your on-going, prioritized, unified security management program. To see how Rapid7’s IT Security Risk Management suite can benefit your organization, visit Rapid7.com.

Recommended

Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsTrish McGinity, CCSK
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Chris Hammond-Thrasher
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsRobert E Jones
 

Recommended

Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsTrish McGinity, CCSK
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Chris Hammond-Thrasher
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsRobert E Jones
 
Mini IT Security Assessment
Mini IT Security AssessmentMini IT Security Assessment
Mini IT Security AssessmentGuardEra Access Solutions, Inc.
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...Cohesive Networks
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanTripwire
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for SecurityTripwire
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Business Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer SystemsBusiness Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer Systems- Mark - Fullbright
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview Ignyte Assurance Platform
 
Jason Allred Resume
Jason Allred ResumeJason Allred Resume
Jason Allred ResumeJason Allred, MBA, CISA, CRISC, ITIL v3
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221SALIH AHMED ISLAM
 
Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...David Sweigert
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Maintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixMaintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixHCLSoftware
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing ComplianceSecPod Technologies
 

More Related Content

What's hot

Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...Cohesive Networks
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanTripwire
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for SecurityTripwire
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Business Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer SystemsBusiness Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer Systems- Mark - Fullbright
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
 
Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...David Sweigert
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 

What's hot (20)

Mini IT Security Assessment
Mini IT Security AssessmentMini IT Security Assessment
Mini IT Security Assessment
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_print
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Business Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer SystemsBusiness Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer Systems
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
 
Jason Allred Resume
Jason Allred ResumeJason Allred Resume
Jason Allred Resume
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221
 
Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
 

Similar to Rapid7 CAG Compliance Guide

Maintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixMaintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixHCLSoftware
 
CAST for the Architect
CAST for the ArchitectCAST for the Architect
CAST for the ArchitectCAST
 
Week 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docx
Week 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docxWeek 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docx
Week 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docxcockekeshia
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
 
Systematic Review Automation in Cyber Security
Systematic Review Automation in Cyber SecuritySystematic Review Automation in Cyber Security
Systematic Review Automation in Cyber SecurityYogeshIJTSRD
 
Worksheet 4 LANWAN Compliance and Auditinglook on the docume.docx
Worksheet 4 LANWAN Compliance and Auditinglook on the docume.docxWorksheet 4 LANWAN Compliance and Auditinglook on the docume.docx
Worksheet 4 LANWAN Compliance and Auditinglook on the docume.docxgriffinruthie22
 
Penetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt itPenetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt itTestingXperts
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxkarlhennesey
 
Splunk for compliance
Splunk for complianceSplunk for compliance
Splunk for complianceGreg Hanchin
 
Splunk for compliance
Splunk for complianceSplunk for compliance
Splunk for complianceGreg Hanchin
 
NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docxrobert345678
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comamaranthbeg113
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comamaranthbeg53
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comamaranthbeg73
 
Cst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.comCst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.comamaranthbeg93
 
Cst 610 Education is Power/newtonhelp.com
Cst 610 Education is Power/newtonhelp.comCst 610 Education is Power/newtonhelp.com
Cst 610 Education is Power/newtonhelp.comamaranthbeg73
 

Similar to Rapid7 CAG Compliance Guide (20)

Maintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixMaintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFix
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
 
CAST for the Architect
CAST for the ArchitectCAST for the Architect
CAST for the Architect
 
Week 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docx
Week 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docxWeek 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docx
Week 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docx
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology Expo
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
 
Systematic Review Automation in Cyber Security
Systematic Review Automation in Cyber SecuritySystematic Review Automation in Cyber Security
Systematic Review Automation in Cyber Security
 
Worksheet 4 LANWAN Compliance and Auditinglook on the docume.docx
Worksheet 4 LANWAN Compliance and Auditinglook on the docume.docxWorksheet 4 LANWAN Compliance and Auditinglook on the docume.docx
Worksheet 4 LANWAN Compliance and Auditinglook on the docume.docx
 
Penetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt itPenetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt it
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
 
Splunk for compliance
Splunk for complianceSplunk for compliance
Splunk for compliance
 
Splunk for compliance
Splunk for complianceSplunk for compliance
Splunk for compliance
 
NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.com
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.com
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.com
 
Cst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.comCst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.com
 
Cst 610 Education is Power/newtonhelp.com
Cst 610 Education is Power/newtonhelp.comCst 610 Education is Power/newtonhelp.com
Cst 610 Education is Power/newtonhelp.com
 

More from Rapid7

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...Rapid7
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionRapid7
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessRapid7
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionRapid7
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityRapid7
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIORapid7
 

More from Rapid7 (18)

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's Effectiveness
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD Methodology
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL Injection
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government Sector
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance Guide
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher Education
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization Security
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing Attacks
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIO
 

Recently uploaded

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Recently uploaded (20)

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Rapid7 CAG Compliance Guide

  • 1. Consensus Audit Guidelines (CAG) Compliance Guide September 2011
  • 2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com What is the CAG? The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The CAG was developed by a consortium of Federal government agencies and private sector partners, including such notable members as the Department of Defense, Department of Energy, FBI and US-CERT, National Institute of Standards and Technology (NIST) and the SANS Institute. Designed to protect critical IT systems from real-world attacks, the CAG goes beyond the annual compliance-driven audits and the checklist-focused approach found in the Federal Information Security Management Act (FISMA). The CAG provides Federal agencies with tools to prioritize critical IT security concerns as part of managing system design and operations rather than trying to manage security as an ad-hoc exercise on the side. The CAG has been mapped to FISMA controls, and has been leveraged by NIST to update the FISMA controls outlined in Special Publication SP 800-53. The CAG is also being used to update FISMA as part of the new U.S. Information and Communications Enhancement (ICE) Act. In the meantime, the consortium that developed the CAG is advising the use of the security controls CAG as a first step towards implementing the controls outlined in NIST’s SP 800- 53 guidelines for FISMA compliance. The mapping of CAG security controls to FISMA makes it possible to leverage standardization efforts like SCAP together with repositories of content like the National Vulnerability Database (NVD), enabling organizations to use automated tools for on-going infrastructure monitoring for vulnerabilities, mis-configurations and policy violations. This baseline data also helps auditors to perform the additional validation required to meet annual and quarterly compliance requirements. Using CAG provides a simple first step towards becoming compliant with current FISMA regulations, with the added benefit of getting aligned with the provisions in the ICE Act. However, the most important benefit provided by the CAG is real-world tested guidance on how to implement robust, proactive, continuous security control measures. The real goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape. Who needs the CAG? The CAG was originally designed to meet the needs of information technology providers for Federal government agencies and departments. However, studies of the cyber security threats to North American critical infrastructure revealed that private sector entities interact with more than 85% of the critical infrastructure in the United States. As a result, President Obama’s former interim Cyber Security Czar, Melissa Hathaway, recommended applying the same security guidelines to both public and private sector entities that utilize, manage, or run critical infrastructures. Critical infrastructure entities outside of the Federal government include organizations in Healthcare Services, Energy, Financial Services, Telecommunications and Transportation. CAG guidelines easily supplement and enhance the security requirements already needed to comply with regulations in these industries, including FISMA, NERC, PCI, GLBA and HIPAA. How Rapid7 Helps Rapid7 provides the only unified threat management solution to help organizations understand risk and adopt best practices to optimize their network security, Web application security and database security strategies. Rapid7 has extensive experience partnering with Federal departments and agencies, such as the U.S. Department of
  • 3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Energy, United States Postal Service (USPS), the National Nuclear Security Administration (NNSA), and the National Telecommunications and Information Administration (NTIA), to help them meet their regulatory requirements. Rapid7 security solutions help thwart real-world attacks by helping organizations apply the CAG’s twenty Critical Security Controls (CSC), also known as the SANS twenty Critical Security Controls. To meet CAG compliance, organizations must demonstrate adherence to the twenty CSCs as outlined below. Controls suited for automation Fifteen CSC categories are suited for automated collection, measurement and validation. Rapid7 Nexpose proactively automates the process of monitoring, measuring, validating, and prioritizing security threats for these CSC as follows: Control Rapid7 Solution CSC-1 Inventory of Authorized and Unauthorized Devices Enables administrators to build and manage an asset inventory by performing either manual or scheduled discovery scans. Automates the task of asset discovery and identification by scanning the entire infrastructure for all networked devices. Assembles an inventory of every system that has an IP address on the network, including databases, desktops, laptops, servers, subnets, network equipment (routers, switches, firewalls, etc.), printers, Storage Area Networks, and Voice-over- IP (VoIP) phones. Enables administrators to configure asset scanning and reporting using sites and asset groups based on specific criteria such as device type, software type, operating system type, or geographic location. Provides fully customizable policy scanning to determine presence of unauthorized devices in accordance with policies for whitelisting authorized devices and blacklisting unauthorized devices. Catalogs all devices in Nexpose as it scans and automatically sends alerts to administrators about any deviations from the expected inventory of assets on the network.
  • 4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-2 Inventory of Authorized and Unauthorized Software Automates the task of asset discovery and identification by scanning and assembling an inventory of software on all networked devices in every system that has an IP address on the network anywhere in the entire infrastructure including servers, workstations and laptops. Provides automation in tracking types of operating systems and applications installed on each system, including versions and patch levels. Provides fully customizable policy scanning to establish baseline configurations to test the effectiveness of security measures, and determine presence of unauthorized software and services in accordance with policies for whitelisting authorized software and blacklisting unauthorized software. Catalogs all software as it scans, including any malicious software, by using the latest fingerprinting technologies to identify systems, services, and installed applications. Sends alerts automatically to administrators for any deviations from the expected inventory of assets on the network. CSC-3 Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Provides the ability to establish baseline configurations to validate the effectiveness of security policies in both test environments and production environments against the baseline condition by checking for presence of unauthorized devices in accordance with policies for whitelisting authorized devices and blacklisting unauthorized devices. Provides fully customizable Nexpose scanning templates to allow for policy scanning for Windows, Oracle and IBM systems. Provides flexible, customizable policy scanning to detect misconfigurations, identify missing patches against mitigating control policies, and apply risk scoring to measure violations against established desktop and server configuration management policies on servers, workstations, laptops, handheld devices, multiple classes of Web applications, and database applications including MS SQL Server, Oracle, MySQL, and DB2. Enables administrators to validate and report on adherence to configuration policies within the asset inventory by performing either manual or scheduled policy configuration scans.
  • 5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-4 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Provides fully customizable policy scanning to detect misconfigurations, locate unnecessary services, find default accounts, identify missing patches against mitigating control policies, and apply risk scoring to measure violations against established configuration management policies for network devices, including firewalls, routers and switches. Provides fully customizable Nexpose scanning templates to allow for policy scanning in order to validate Windows firewall settings. Provides the ability to establish baseline configurations to validate the effectiveness of security policies in both test environments and production environments against the baseline condition by checking for presence of unauthorized network device configuration in accordance with policies for firewall rules, router access control lists, and IDS/IPS detection. CSC-5 Boundary Defense Provides fully customizable policy compliance framework to setup automated monitoring of port access policies. Provides fully customizable risk scoring, policy auditing, and vulnerability scanning to alert you of policy violations or misconfigurations, including validation of up-to- date firewalls, and IDS/IPS system patches. Includes option to use either a hosted scan engine through Rapid7’s Managed PCI Compliance Services, or your own external distributed scan engine outside your DMZ to perform external perimeter vulnerability scanning. CSC-6 Maintenance, Monitoring, and Analysis of Security Audit Logs Provides fully customizable policy compliance framework to setup automated monitoring of security audit log policies.
  • 6. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-7 Application Software Security Provides ability to perform on-going scheduled and ad-hoc scanning of Web applications for XSS and SQL injection. Enables Web form scanning using form- based authentication. Provides the ability to establish baseline configurations to validate the effectiveness of security policies after Web application changes in both test environments and production environments against the baseline condition by checking for security violations in Web applications, as well as in underlying database servers, including MS SQL Server, Oracle, MySQL, and DB2. Provides comprehensive unified vulnerability scanning of all vital systems to evaluate potential risks to operating systems, Web applications, databases, enterprise applications, and custom applications. Provides fully customizable policy compliance framework to setup automated monitoring of software policy settings, including Web browser patching levels, and configuration settings for Web applications, including their underlying database servers. Provides fully customizable risk scoring, policy auditing, and vulnerability scanning to alert you of policy violations or misconfigurations. CSC-8 Controlled Use of Administrative Privileges Provides ability to segregate administrative privileges using role based access control to limit vulnerability information to appropriate parties. Provides access to Rapid7 Risk Assessment Services to identify gaps in your security program, determine if security policies are being followed in actual day-to-day operations (i.e. policies for maintaining least privilege, segregation of duties, and patching on databases containing private data), and provide guidance on developing missing control policies and procedures required to secure private data from external threats. CSC-9 Controlled Access Based on Need to Know Provides ability to test servers to ensure access policies they are configured with the proper level of access control, including separation of duties for default and new accounts and configurations of servers to ensure they have been locked down to a least level of privilege.
  • 7. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-10 Continuous Vulnerability Assessment and Remediation Provides ad-hoc scans of newly introduced vulnerabilities so that you can immediately: o Scan for new vulnerabilities o View a report of all vulnerabilities found o View a records of new vulnerabilities added Provides the ability to define scan frequency , including the option to use randomized scanning, and high-speed parallel scanning (2-4 times faster than competitors), which enhances security by providing capacity for more frequent scans so your security team always has access to the most current data. Enables authenticated scanning in applications as well as in Web forms. Provides flexible, customizable policy scanning to detect misconfigurations, identify missing patches against mitigating controls or compensating control policies, and apply risk scoring to measure violations to establish trends against established baselines for all networked devices and software. Provides customizable policy scanning to establish baseline configurations, test effectiveness of security measures, and provide both executive and detailed analyst reports. The findings will include what authorized and unauthorized devices were discovered based on Nexpose templates configured to identify whitelist (authorized) and blacklist (unauthorized) devices. Provides customizable, prioritized risk scoring to customize severity levels for more accurate remediation reporting suited for your environment. Enables an easy integration of vulnerability and compliance management into existing business processes and IT systems such as GRC solutions like Archer, help desk, asset management and other security solutions via pre-built integrations and Rapid7’s Nexpose API. CSC-11 Account Monitoring and Control Enforces password policies through regular scheduled scanning and reporting. Uses our customized policy compliance framework to setup automated monitoring of passwords policies (including number of login attempts, password length, allowable special characters etc.). Provides monitoring software installation policies, and reports on illegal software installed on users’ system.
  • 8. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-12 Malware Defenses Catalogs all software as it scans, including any malicious software. CSC-13 Limitation and Control of Network Ports, Protocols, and Services Provides fully customizable policy scanning to monitor policy violations or misconfigurations of network ports, protocols, and services. CSC-14 Wireless Device Control Provides fully customizable policy scanning to monitor policy violations or misconfigurations of network ports, protocols, and services. Provides access to Rapid7 Wireless Audit Consulting Services to evaluate your wireless security controls on all wireless access points, identify gaps in your security program, determine if security policies are being followed in actual day- to-day operations, and provide guidance on developing missing control policies and procedures required to secure private data from unauthorized access. CSC-15 Data Loss Prevention Provides HIPAA scan template which detects PII data, or Social Security numbers, on Web pages for better patient privacy in medical institutions. To further enhance the HIPAA audit, the scan template can be configured to allow file searching so that if Nexpose gains access to an asset’s file system in the scanning process, it can search for, and retrieve, files in that system. For example medical offices cannot store patient data on local drives due to HIPAA regulations, so file searching can be useful for that purpose.  Provides ability to configure custom scan templates to search for specific data pattern in Web applications that indicate presence of PII that would lead to security violations. Provides automated mechanisms that increase the availability of incident response related information by providing details on potential vulnerabilities that were exploited, as well as remediation steps to prevent future exploits Provides continuous logging of historical scan data for use in disaster recovery and auditing. Provides access to Rapid7 Risk Assessment Services to provide guidance on development of incident management and disaster recovery program best practices for protecting personal information by evaluating security controls for modification of access rights, and providing guidance on developing missing control policies.
  • 9. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Controls not directly supported by automation Five CSC categories are not directly supported by automation. Rapid7’s Consulting Services has security experts to assist you in measuring and validating these CSC categories as follows: Control Rapid7 Solution CSC-16 Secure Network Engineering Provides access to Rapid7 Risk Assessment Services to evaluate your security controls, identify gaps in your security program, and provide guidance on incorporating secure network engineering best practices. CSC-17 Penetration Tests and Red Team Exercises Provides access to Rapid7 Penetration Testing Services to evaluate your security controls, perform internal and external testing, perform social engineering, identify gaps in your security program, and provide an actionable remediation plan. Provides access to Rapid7 Security Experts to determine if security policies are being followed in actual day-to-day operations, and provides guidance on developing missing control policies and procedures required to secure information systems and data from external threats. CSC-18 Incident Response Capability Provides automated end-to-end security solution to automatically document all security incidents and subsequent effects of vulnerability remediation to establish historical audit log record, including fully configurable automated notifications and ticketing system for customizable case escalation, ticket creation, and notification, including ability to integrate with third-party ticketing systems. Provides access to Rapid7 Security Experts to determine if security policies are being followed in actual day-to-day operations, and provides guidance on developing missing control policies and procedures required to secure information systems and data from external threats. CSC-19 Data Recovery Capability Provides access to Rapid7 Risk Assessment Services to evaluate if data recovery capabilities have been adequately embedded into security controls, and identify gaps in your security program. CSC-20 Security Skills Assessment and Appropriate Training to Fill Gaps Provides access to Rapid7 Risk Assessment Services to determine need for holistic vulnerability management security training by evaluating security awareness during penetration testing and social engineering exercises, followed by recommendations for security awareness training required as part of an integrated security management program. Contact us to find out more about how Rapid7 can help you incorporate the twenty CSCs of the CAG into your on-going, prioritized, unified security management program. To see how Rapid7’s IT Security Risk Management suite can benefit your organization, visit Rapid7.com.