Security controls are safeguards or precautions to avoid, detect, exclude, or minimize security risks to physical property, information, computer systems or other assets.
They can be classified based on several criteria. For example, according to their time of action, relative to security incidents:
- Before the event, preventive control is intended to prevent the occurrence of mis. by locking unauthorized intruders;
- During the event, detective control is intended to identify and characterize an ongoing incident, e.g. by sounding an intruder alarm and alerting security guards or police;
- After the event, corrective control is intended to limit the extent of damage caused by the incident, e.g. by restoring the organization to normal work status as efficiently as possible.
By its nature, for example:
- Physical control for example. fences, doors, locks and fire extinguishers;
- Procedural controls for example. incident response process, management control, security awareness, and training;
- Technical controls for example. user authentication (login) and logical access control, antivirus software, firewall;
- Legal and regulatory or compliance controls for example. privacy laws, policies, and clauses.
Similar categorization distinguishes controls that involve people, technology, and operations/processes.
In the field of information security, these controls protect the confidentiality , integrity and/or the availability of information - the so-called CIA Triad
Control systems can be referred to as frameworks or standards. The framework can allow organizations to manage security controls across different types of assets with consistency.
Video Security controls
Information security standards and control framework
Many information security standards promote good security practices and define a framework or system for developing analysis and design to manage information security controls. Some of the most famous are described below.
International information security standards
ISO/IEC 27001 assigned 114 controls in 14 groups:
- A.5: Information security policy
- A.6: How information security is organized
- A.7: Human resources security - controls applied before, during, or after work.
- A.8: Asset management
- A.9: Access controls and manage user access
- A.10: Cryptography technology
- A.11: Physical security of the organization's website and tools
- A.12: Operational security
- A.13: Secure communication and data transfer â â¬
- A.14: Securely acquire, develop, and support information systems
- A.15: Security for suppliers and third parties
- A.16: Incident management
- A.17: Business continuity/disaster recovery (insofar as it affects information security)
- A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws.
US. Federal Government information security standard
From NIST Special Publication SP 800-53 revision 4.
- AC Access Control.
- AT Awareness and Training.
- AU Audit and Accountability.
- Security Assessment and CA Authorization. (historical abbreviation)
- Configuration Management CM.
- Contingency Planning CP.
- IA Identification and Authentication.
- IR Incident Response.
- MA Maintenance.
- Media Protection MP.
- Physical and Environmental Protection PE.
- PL planning.
- PS Security Personnel.
- RA Risk Assessment.
- SA System and Acquisition Services.
- System and Communication Protection SC.
- SI System and Information Integrity.
- PM Program Management.
AS. Defense Department Information Standards
From DoD Instruction 8500.2 [1] there are 8 areas of Information Assurance (IA) and its control is referred to as IA control.
- DC Security Design & amp; Configuration
- IA Identification and Authentication
- Enclave and EC Computing Environment
- EB Enclave Boundary Defense
- PE Physical and Environment
- PR personnel
- CO Continuity
- VI Vulnerability and Incident Management
DoD establishes IA control per leg of the CIA Triad.
Maps Security controls
Telecommunications
In telecommunications, security controls are defined as Security services as part of the OSI Reference model
- ITU-T Recommendation X.800.
- ISO ISO 7498-2
This is technically aligned. This model is widely known
Business control framework
There are various frameworks and standards that look at internal business, and inter-business controls, including:
- SSAE 16
- ISAE 3402
- Payment Card Industry Data Standards
- Portability of Health Insurance and Accountability Act
See also
- Access control
- reply action
- Environmental design
- Information security
- OSI Reference Model
- Physical Security
- Risk
- Security
- Security techniques
- Security management
- Security services
References
- Information Security Forum Standards on Good Practices for Information Security
- NIST SP 800-53 Revision 4
- DoD Instruction 8500.2
- FISMApedia Terms
Source of the article : Wikipedia