For Immediate Release

Contact: Tony Sager
(443) 952-0542
tsager@sans.org

WASHINGTON DC, October 31, 2012 - The Consortium for Cybersecurity Action (CCA), a newly-formed international consortium of government agencies and private organizations from around the world, will host a Conference Call to promote the most effective approaches to cybersecurity and support 11 key developments that are shaping events.

The Conference Call is scheduled for Monday, November 5th at 11:00 a.m. EST. Dial-in instructions:

Domestic (Dial-in): 877-268-9432
International (Dial-in): 817-755-8752
Conference Call ID# 63979758

The briefing will feature analysis by the world's top security experts of 11 major "headlines" about efforts to prevent and thwart cyber attacks. The experts will also discuss the most effective ways for organizations to implement the newly updated Critical Controls, a prioritized, risk-based set of information security measures to defend against myriad internal and external threats.

The major cybersecurity headlines for discussion are:

1. The United States, United Kingdom, Australia and dozens of major agencies and corporations (see list below) agree to cooperate in defining and promoting the most effective controls for computer and network security and the most rapid and cost-effective ways to deploy them.


2. Tony Sager, most recently Chief Operating Officer of the National Security Agency's Information Assurance Directorate, agrees to lead the CCA. Sager heads the list of experts who will conduct the Conference Call, along with Dr. Eric Cole, Randy Marchany, and Alan Paller.


3. The CCA releases the updated (Version 4.0) Critical Controls for Effective Cyber Defense document reflecting improved consensus on global risk assessment and the most effective actions enterprises can take to manage risk. The updated Controls will be published November 5th and available online at www.sans.org/critical-security-controls/.


4. The British government's Center for the Protection of National Infrastructure (CPNI) describes the Critical Controls as the "baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence." CPNI is mapping its guidance products against the controls to assist organizations with implementation.


5. The Australian Defence Signals Directorate revises its "35 Strategies to Mitigate Targeted Cyber Intrusions" and re-ranks the "Top 4 Mitigation Strategies to Protect Your ICT System." Available online at http://www.dsd.gov.au/publications/Top_35_Mitigations_2012.pdf. Educational video available at www.dsd.gov.au/videos/catch-patch-match.htm


6. The U.S. Department of Homeland Security announces a large procurement package to automate the first five of the Critical Controls across .gov networks with buying options for federal cloud initiatives and state and local governments. In its procurement process the DHS has adopted Australia's top priority strategies (whitelisting, configuration and patching) as core elements of its first phase of a large contract implementing the Critical Controls.


7. The U.S. Federal Communications Commission launches a task force to determine how the Critical Controls can best be applied to protect the telecommunications industry.


8. The CCA announces it will publish Quarterly Updates to ensure that all consortium members have access to the most current threat information and that the controls are updated annually to address cutting-edge threats and vulnerabilities


9. Training programs on the Critical Controls and the Top 4 Mitigation Strategies planned for the Asia-Pacific region, Europe, and United States over the next seven months.


10. The states of Ohio and Colorado adopt the Critical Controls as their cybersecurity standard.


11. Virginia Tech University adopts the Critical Controls as its cybersecurity standard. VT is polling other schools to determine which others have made similar decisions.

The CCA will serve as an ongoing mechanism to bring together community expertise on attacks and threats; identify and prioritize the most effective defensive controls (based on performance in stopping attacks); identify tools and processes to support implementation; encourage and support adoption of the Critical Controls by organizations, standards bodies, and governments; and enable the world community to share cyber defense information and effective practices.

The Critical Controls are specific guidelines that CISOs, CIOs, IGs, systems administrators, and information security personnel can use to both manage and measure the effectiveness of their defenses. They are designed to complement existing standards, frameworks, compliance schemes, etc. by bringing priority and focus to the most critical threat and highest payoff defenses, while providing a common baseline for action against the risks that we all face.

Members of the Consortium of Government Agencies and Private Organizations Working toward Defining the Consensus List of Critical Security Controls