Security controls

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Controls help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.

To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:

(Some security professionals would add further categories such as deterrent controls and compensation. Others argue that these are subsidiary categories. This is simply a matter of semantics.)

Security controls can also be categorized according to their nature, for example:

A similar categorization distinguishes control involving people, technology and operations/processes.

Information security controls protect the confidentiality, integrity and/or availability of information (the so-called CIA Triad). Again, some would add further categories such as non-repudiation and accountability, depending on how narrowly or broadly the CIA Triad is defined.

Individual controls are often designed to act together to increase effective protection. Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency. For example, a framework can help an organization manage controls over access regardless of the type of computer operating system. This also enables an organization to assess overall risk. Risk-aware organizations may choose proactively to specify, design, implement, operate and maintain their security controls, usually by assessing the risks and implementing a comprehensive security management framework such as ISO27001:2013, the Information Security Forum's Standard of Good Practice for Information Security, or NIST SP 800-53.

In telecommunications, security controls are defined as Security services as part of OSI Reference model by ITU-T X.800 Recommendation. X.800 and ISO ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture are technically aligned.

For business-to-business facing companies whose service may affect the financial statements of the other company, the prospect may require successful audit reports of policy controls such as a SSAE 16 report before granting them authorization as a vendor.

Information security standards and control frameworks

Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known are outlined below.

International information security standards

ISO/IEC 27001:2013 specifies 114 controls in 14 groups:

U.S. Federal Government information security standards

From NIST Special Publication SP 800-53 revision 3.

  1. AC Access Control.
  2. AT Awareness and Training.
  3. AU Audit and Accountability.
  4. CA Certification, Accreditation, and Security Assessments.
  5. CM Configuration Management.
  6. CP Contingency Planning.
  7. IA Identification and Authentication.
  8. IR Incident Response.
  9. MA Maintenance.
  10. MP Media Protection.
  11. PE Physical and Environmental Protection.
  12. PL Planning.
  13. PS Personnel Security.
  14. RA Risk Assessment.
  15. SA System and Services Acquisition.
  16. SC System and Communications Protection.
  17. SI System and Information Integrity.
  18. PM Program Management.

U.S. Department of Defense information security standards

From DoD Instruction 8500.2 there are 8 Information Assurance (IA) areas and the controls are referred to as IA controls.

  1. DC Security Design & Configuration
  2. IA Identification and Authentication
  3. EC Enclave and Computing Environment
  4. EB Enclave Boundary Defense
  5. PE Physical and Environmental
  6. PR Personnel
  7. CO Continuity
  8. VI Vulnerability and Incident Management

DoD assigns the IA control per CIA Triad leg.

See also

References

This article is issued from Wikipedia - version of the Friday, July 17, 2015. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.