What Are the Controls?

The detailed Consensus Audit Guidelines are posted at  along with detailed control descriptions, examples of attacks they stop or mitigate, how to automate them, and how to test them. Below is the list of control names:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software for Which Such Configurations Are Available

4. Secure Configurations of Network Devices Such as Firewalls and Routers

5. Boundary Defense

6. Maintenance and Analysis of Complete Security Audit Logs

7. Application Software Security

8. Controlled Use of Administrative Privileges

9. Controlled Access Based On Need to Know

10. Continuous Vulnerability Testing and Remediation

11. Dormant Account Monitoring and Control

12. Anti-Malware Defenses

13. Limitation and Control of Ports, Protocols and Services

14. Wireless Device Control

15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

16. Secure Network Engineering

17. Red Team Exercises

18. Incident Response Capability

19. Assured Data Back-Ups

20. Security Skills Assessment and Training to Fill Gaps

http://sec.chinabyte.com/465/12310465.shtml

http://www.sans.org/critical-security-controls/