Consensus Audit Guidelines: Overview

Consensus Audit Guidelines (CAG)The Consensus Audit Guidelines (CAG), published by the SANS Institute, were authored by federal government agencies, commercial forensics experts and penetration testers.

The CAG gives no-nonsense, highly actionable guidelines for securing IT – written in language that’s easily understood.

The CAG consists of 20 sections, each outlining a different, critical security control.

Critical Security Control 12 – Controlled Use of Administrative Privileges


With the rise in data breaches attributed to unauthorized access to privileged accounts, most regulatory compliance initiatives now mandate proper controls for these powerful identities. CAG is no exception.  CAG 12 (formerly CAG 8) lists precisely the minimum controls necessary – and the actions you’ll need to take – to secure privileged credentials.

Enterprise Random Password Manager (ERPM) helps you achieve continuous compliance with CAG 12 quickly by automating the process required to:

1. Continuously inventory all privileged accounts – on all hardware and appliance platforms; including administrative logins, application-to-application passwords and service accounts.

2. Programmatically change all default privileged logins present in operating systems, applications, appliances, and elsewhere to cryptographically complex values.

3. Change all privileged passwords on intervals not longer than every 60 days.

4. Enforce cryptographically complex, frequently-changed passwords on service accounts.

5. Store system passwords in an encrypted format, accessible only by authorized super users.

6. Enforce least-privilege so that privileged accounts are used only for system administration and never for activities requiring lesser privileges.

7. Establish unique, different passwords for administrator and non administrative accounts.

8. Enforce rules to prevent privileged password re-use.

9. Audit the use of privileged logins and alert management to any unusual activity.

10.  Log, audit and alert whenever privileged accounts are added, deleted or changed.

11.  Require multi-factor authentication for privileged access.

12.  Avoid direct logins with administrative accounts; instead use proxies wherever possible.

13.  Protect and control privileged access to your systems and data by third parties.

14.  Segregate privilege accounts based on defined roles.

Consensus Audit Guidelines (CAG) Compliance       Download the free solution brief, “ Controlled Use of Administrative Privileges - Achieving CAG 12 Compliance with Enterprise Random Password Manager.


Contact us today for more information on how ERPM can help your organization comply with the Consensus Audit Guidelines.