Security controls are safeguards or
countermeasure
A countermeasure is a measure or action taken to counter or offset another one. As a general concept, it implies precision and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process. The fi ...
s to avoid, detect, counteract, or minimize
security risks to physical property, information, computer systems, or other assets. In the field of
information security
Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
, such controls protect the
confidentiality, integrity and availability of information.
Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.
Types of security controls
Security
Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
controls can be classified by various criteria. For example, controls are occasionally classified by when they act relative to a security breach:
*Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;
*During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;
*After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.
Security controls can also be classified according to their characteristics, for example:
*Physical controls ''e.g.'' fences, doors, locks and fire extinguishers;
*Procedural or administrative controls ''e.g.'' incident response processes, management oversight, security awareness and training;
*Technical or logical controls ''e.g.'' user authentication (login) and logical access controls, antivirus software, firewalls;
*Legal and regulatory or compliance controls ''e.g.'' privacy laws, policies and clauses.
''For more information on security controls in computing, see
Defense in depth (computing)
Defense in depth is a concept used in information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fa ...
and
Information security
Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
''
Information security standards and control frameworks
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known standards are outlined below.
International Standards Organization
ISO/IEC 27001
ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...
specifies 114 controls in 14 groups:
*A.5: Information security policies
*A.6: How information security is organised
*A.7: Human resources security - controls that are applied before, during, or after employment.
*A.8: Asset management
*A.9: Access controls and managing user access
*A.10: Cryptographic technology
*A.11: Physical security of the organisation's sites and equipment
*A.12: Operational security
*A.13: Secure communications and data transfer
*A.14: Secure acquisition, development, and support of information systems
*A.15: Security for suppliers and third parties
*A.16: Incident management
*A.17: Business continuity/disaster recovery (to the extent that it affects information security)
*A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws.
U.S. Federal Government information security standards
The
Federal Information Processing Standards (FIPS) apply to all US government agencies. However, certain national security systems, under the purview of the
Committee on National Security Systems
The Committee on National Security Systems (CNSS) is a United States intergovernmental organization that sets policy for the security of the US security systems.
Charter, mission, and leadership
The National Security Telecommunications and Infor ...
, are managed outside these standards.
Federal information Processing Standard 200 (FIPS 200), "Minimum Security Requirements for Federal Information and Information Systems," specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in
NIST
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
Special Publicatio
SP 800-53
FIPS 200 identifies 17 broad control families:
#AC Access Control.
#AT Awareness and Training.
#AU Audit and Accountability.
#CA Security Assessment and Authorization. (historical abbreviation)
#CM Configuration Management.
#CP Contingency Planning.
#IA Identification and Authentication.
#IR Incident Response.
#MA Maintenance.
#MP Media Protection.
#PE Physical and Environmental Protection.
#PL Planning.
#PS Personnel Security.
#RA Risk Assessment.
#SA System and Services Acquisition.
#SC System and Communications Protection.
#SI System and Information Integrity.
National Institute of Standards and Technology
NIST Cybersecurity Framework
A maturity based framework divided into five functional areas and approximately 100 individual controls in its "core."
NIST SP-800-53
A database of nearly one thousand technical controls grouped into families and cross references.
* Starting with Revision 3 of 800-53, Program Management controls were identified. These controls are independent of the system controls, but are necessary for an effective security program.
* Starting with Revision 4 of 800-53, eight families of privacy controls were identified to align the security controls with the privacy expectations of federal law.
* Starting with Revision 5 of 800-53, the controls also address data privacy as defined by the NIST Data Privacy Framework.
Commercial Control Sets
COBIT5
A proprietary control set published by ISACA.
* Governance of Enterprise IT
** Evaluate, Direct and Monitor (EDM) – 5 processes
* Management of Enterprise IT
** Align, Plan and Organise (APO) – 13 processes
** Build, Acquire and Implement (BAI) – 10 processes
** Deliver, Service and Support (DSS) – 6 processes
** Monitor, Evaluate and Assess (MEA) - 3 processes
CIS Controls (CIS 18)
Formerly known as the SANS Critical Security Controls now officially called the CIS Critical Security Controls (COS Controls). The CIS Controls are divided into 18 controls.
* CIS Control 1: Inventory and Control of Enterprise Assets
* CIS Control 2: Inventory and Control of Software Assets
* CIS Control 3: Data Protection
* CIS Control 4: Secure Configuration of Enterprise Assets and Software
* CIS Control 5: Account Management
* CIS Control 6: Access Control Management
* CIS Control 7: Continuous Vulnerability Management
* CIS Control 8: Audit Log Management
* CIS Control 9: Email and Web Browser Protections
* CIS Control 10: Malware Defenses
* CIS Control 11: Data Recovery
* CIS Control 12: Network Infrastructure Management
* CIS Control 13: Network Monitoring and Defense
* CIS Control 14: Security Awareness and Skills Training
* CIS Control 15: Service Provider Management
* CIS Control 16: Application Software Security
* CIS Control 17: Incident Response Management
* CIS Control 18: Penetration Testing
The Controls are divided further into Implementation Groups (IGs) which are a recommended guidance to prioritize implementation of the CIS controls.
Telecommunications
In telecommunications, security controls are defined as
security services as part of the
OSI Reference model
The Open Systems Interconnection model (OSI model) is a conceptual model that 'provides a common basis for the coordination of SOstandards development for the purpose of systems interconnection'. In the OSI reference model, the communications ...
* ITU-T X.800 Recommendation.
* ISO ISO 7498-2
These are technically aligned.
[X.800 : Security architecture for Open Systems Interconnection for CCITT applications]
/ref> This model is widely recognized.[
William Stallings
Crittografia e sicurezza delle reti
Seconda edizione
Traduzione Italiana a cura di Luca Salgarelli
di Cryptography and Network security 4 edition
Pearson
2006
]
[Securing information and communications systems: principles, technologies, and applications
Steven Furnell, Sokratis Katsikas, Javier Lopez, Artech House, 2008 - 362 pages
]
Data liability (legal, regulatory, compliance)
The intersection of security risk and laws that set standards of care is where data liability are defined. A handful of databases are emerging to help risk managers research laws that define liability at the country, province/state, and local levels. In these control sets, compliance with relevant laws are the actual risk mitigators.
* Perkins Coie Security Breach Notification Chart: A set of articles (one per state) that define data breach notification requirements among US states.
*NCSL Security Breach Notification Laws: A list of US state statutes that define data breach notification requirements.
*ts jurisdiction: A commercial cybersecurity research platform with coverage of 380+ US State & Federal laws that impact cybersecurity before and after a breach. ts jurisdiction also maps to the NIST Cybersecurity Framework.
Business control frameworks
There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including:
*SSAE 16
Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is an auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statem ...
*ISAE 3402 International Standard on Assurance Engagements 3402 (ISAE 3402), titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that describes Service Organization Control (SOC) engagements, which provides a ...
* Payment Card Industry Data Security Standard
*Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...
*COBIT 4/5
*CIS Top-20
*NIST Cybersecurity Framework
See also
* Access control
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
* Aviation security
Airport security includes the techniques and methods used in an attempt to protect passengers, staff, aircraft, and airport property from malicious harm, crime, terrorism, and other threats.
Aviation security is a combination of measures and hum ...
* countermeasure
A countermeasure is a measure or action taken to counter or offset another one. As a general concept, it implies precision and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process. The fi ...
* Environmental design
Environmental design is the process of addressing surrounding environmental parameters when devising plans, programs, policies, buildings, or products. It seeks to create spaces that will enhance the natural, social, cultural and physical environm ...
* Information security
Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
* OSI Reference Model
The Open Systems Interconnection model (OSI model) is a conceptual model that 'provides a common basis for the coordination of SOstandards development for the purpose of systems interconnection'. In the OSI reference model, the communications ...
* Physical Security
Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physica ...
* Risk
In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environme ...
* Security
Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
* Security engineering
* Security management
Security management is the identification of an organization's assets (including people, buildings, machines, systems and information assets), followed by the development, documentation, and implementation of policies and procedures for protec ...
* Security services
References
NIST SP 800-53 Revision 4
DoD Instruction 8500.2
FISMApedia Terms
{{Authority control
Computer network security
Computer security procedures
Data security