Scribd
Upload
20 views4 pages

Security-Controls Module

Uploaded by

kayebright120
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views4 pages

Security-Controls Module

Uploaded by

kayebright120
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

INTRODUCTION TO INFORMATION SECURITY

Module 7 – Security Controls

Learning Objectives
After completing this module, you are expected to:
▪ know what security controls are
▪ learn the types and functions of security controls
▪ understand examples of security control frameworks and best practices

7.1 What are Security Controls?

Security controls are parameters implemented to protect assets important to an organization.


They include any type of policy, procedure, technique, method, solution, plan, action,
countermeasure, or device designed to help reduce or mitigate the risk to those assets.
Recognizable examples include surveillance systems, firewalls, and antivirus software.

Security controls are not randomly or arbitrarily chosen. Generally, they flow out of the
organization’s risk management process, beginning with defining the overall IT security strategy
and goals, and followed by defining specific control objectives, i.e., statements about how the
organization plans to effectively manage risk. Once the organization defines control objectives,
it can assess the risk to individual assets and then choose the most appropriate security
controls to put in place.

One of the most straightforward models for classifying controls is by TYPE: physical, technical,
or administrative, and by FUNCTION: preventative, detective, and corrective.1

1
https://www.f5.com/labs/articles/education/what-are-security-controls
7.2 Security Control Types

Physical controls describe anything tangible that is used to prevent or detect unauthorized
access to physical areas, systems, or assets. This includes things like fences, gates, guards,
security badges and access cards, biometric access controls, security lighting, CCTVs,
surveillance cameras, motion sensors, fire suppression, as well as environmental controls like
HVAC and humidity controls.

Technical controls (also known as logical controls) include hardware or software mechanisms
used to protect assets. Some common examples are authentication solutions, firewalls, antivirus
software, intrusion detection systems (IDSs), intrusion protection systems (IPSs), constrained
interfaces, as well as access control lists (ACLs) and encryption measures.

Administrative controls refer to policies, procedures, or guidelines that define personnel or


business practices in accordance with the organization's security goals. These can apply to
employee hiring and termination, equipment and Internet usage, physical access to facilities,
separation of duties, data classification, and auditing. Security awareness training for
employees also falls under administrative controls.

7.3 Security Control Functions

Preventative controls describe any security measure that’s designed to stop unwanted or
unauthorized activity from occurring. Examples include physical controls such as fences, locks,
and alarm systems; technical controls such as antivirus software, firewalls, and IPSs; and
administrative controls like separation of duties, data classification, and auditing.

Detective controls describe any security measure taken or solution that’s implemented to
detect and alert to unwanted or unauthorized activity in progress or after it has occurred.
Physical examples include alarms or notifications from physical sensor (door alarms, fire
alarms) that alert guards, police, or system administrators. Honeypots and IDSs are examples
of technical detective controls.

Corrective controls include any measures taken to repair damage or restore resources and
capabilities to their prior state following an unauthorized or unwanted activity. Examples of
technical corrective controls include patching a system, quarantining a virus, terminating a
process, or rebooting a system. Putting an incident response plan into action is an example of
an administrative corrective control.

7.4 Security Control Frameworks

Systems of security controls, including the processes and documentation defining


implementation and ongoing management of these controls, are referred to as frameworks or
standards.

Frameworks enable an organization to consistently manage security controls across different


types of assets according to a generally accepted and tested methodology.

National Institute of Standards and Technology Cyber Security Framework

The National Institute of Standards and Technology (NIST) created a voluntary framework in
2014 to provide organizations with guidance on how to prevent, detect, and respond to
cyberattacks. The assessment methods and procedures are used to determine if an
organization’s security controls are implemented correctly, operate as intended, and produce
the desired outcome (meeting the security requirements of the organization). The NIST
framework is consistently updated to keep pace with cybersecurity advances.2

Center for Internet Security Controls

The Center for Internet Security (CIS) developed a list of high-priority defensive actions that
provide a “must-do, do-first” starting point for every enterprise looking to prevent cyberattacks.

According to the SANS Institute, which developed the CIS controls, “CIS controls are effective
because they are derived from the most common attack patterns highlighted in the leading
threat reports and vetted across a very broad community of government and industry
practitioners.”3

2
Source: https://www.ibm.com/cloud/learn/security-controls
3
Source: https://www.ibm.com/cloud/learn/security-controls
7.5 Security Control Best Practices

A well-developed framework ensures that an organization does the following:


• Enforces IT security policies through security controls
• Educates employees and users about security guidelines
• Meets industry and compliance regulations
• Achieves operational efficiency across security controls
• Continually assesses risks and addresses them through security controls

A security solution is only as strong as its weakest link. The organization should consider
multiple layers of security controls (which is also known as a defense-in-depth strategy) to
implement security controls across identity and access management, data, applications,
network or server infrastructure, physical security, and security intelligence.4

4
Source: https://www.ibm.com/cloud/learn/security-controls

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy