Security controls

Last updated

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. [1] In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Contents

Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.

Types of security controls

Security controls can be classified by various criteria. For example, controls are occasionally classified by when they act relative to a security breach:

Security controls can also be classified according to their characteristics, for example:

For more information on security controls in computing, see Defense in depth (computing) and Information security

Information security standards and control frameworks

Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known standards are outlined below.

International Standards Organization

ISO/IEC 27001:2022 was released in October 2022. All organizations certified to ISO 27001:2013 are obliged to transition to the new version of the Standard within 3 years (by October 2025).

The 2022 version of the Standard specifies 93 controls in 4 groups:

It groups these controls into operational capabilities as follows:

The previous version of the Standard, ISO/IEC 27001, specified 114 controls in 14 groups:

U.S. Federal Government information security standards

The Federal Information Processing Standards (FIPS) apply to all US government agencies. However, certain national security systems, under the purview of the Committee on National Security Systems, are managed outside these standards.

Federal information Processing Standard 200 (FIPS 200), "Minimum Security Requirements for Federal Information and Information Systems," specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in NIST Special Publication SP 800-53.

FIPS 200 identifies 17 broad control families:

National Institute of Standards and Technology

NIST Cybersecurity Framework

A maturity based framework divided into five functional areas and approximately 100 individual controls in its "core."

NIST SP-800-53

A database of nearly one thousand technical controls grouped into families and cross references.

  • Starting with Revision 3 of 800-53, Program Management controls were identified. These controls are independent of the system controls, but are necessary for an effective security program.
  • Starting with Revision 4 of 800-53, eight families of privacy controls were identified to align the security controls with the privacy expectations of federal law.
  • Starting with Revision 5 of 800-53, the controls also address data privacy as defined by the NIST Data Privacy Framework.

Commercial Control Sets

COBIT5

A proprietary control set published by ISACA. [2]

  • Governance of Enterprise IT
    • Evaluate, Direct and Monitor (EDM) – 5 processes
  • Management of Enterprise IT
    • Align, Plan and Organise (APO) – 13 processes
    • Build, Acquire and Implement (BAI) – 10 processes
    • Deliver, Service and Support (DSS) – 6 processes
    • Monitor, Evaluate and Assess (MEA) - 3 processes

CIS Controls (CIS 18)

Formerly known as the SANS Critical Security Controls now officially called the CIS Critical Security Controls (COS Controls). [3] The CIS Controls are divided into 18 controls.

  • CIS Control 1: Inventory and Control of Enterprise Assets
  • CIS Control 2: Inventory and Control of Software Assets
  • CIS Control 3: Data Protection
  • CIS Control 4: Secure Configuration of Enterprise Assets and Software
  • CIS Control 5: Account Management
  • CIS Control 6: Access Control Management
  • CIS Control 7: Continuous Vulnerability Management
  • CIS Control 8: Audit Log Management
  • CIS Control 9: Email and Web Browser Protections
  • CIS Control 10: Malware Defenses
  • CIS Control 11: Data Recovery
  • CIS Control 12: Network Infrastructure Management
  • CIS Control 13: Network Monitoring and Defense
  • CIS Control 14: Security Awareness and Skills Training
  • CIS Control 15: Service Provider Management
  • CIS Control 16: Application Software Security
  • CIS Control 17: Incident Response Management
  • CIS Control 18: Penetration Testing

The Controls are divided further into Implementation Groups (IGs) which are a recommended guidance to prioritize implementation of the CIS controls. [4]

Telecommunications

In telecommunications, security controls are defined as security services as part of the OSI Reference model

These are technically aligned. [5] [6] This model is widely recognized. [7] [8]

Data liability (legal, regulatory, compliance)

The intersection of security risk and laws that set standards of care is where data liability are defined. A handful of databases are emerging to help risk managers research laws that define liability at the country, province/state, and local levels. In these control sets, compliance with relevant laws are the actual risk mitigators.

Business control frameworks

There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including:

See also

Related Research Articles

Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible, or intangible. Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:

<span class="mw-page-title-main">Federal Information Security Management Act of 2002</span> United States federal law

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

ISACA is an international professional association focused on IT governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. ISACA currently offers 8 certification programs, as well as other micro-certificates.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

MEHARI is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals.

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

NIST Special Publication 800-53 is an information security standard that provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

<span class="mw-page-title-main">Risk Management Framework</span>

The National Institute for Standards and Technology's (NIST) Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

References

  1. "What are Security Controls?". www.ibm.com. Retrieved 2020-10-31.
  2. "COBIT Framework | Risk & Governance | Enterprise IT Management - ISACA". cobitonline.isaca.org. Retrieved 2020-03-18.
  3. "The 18 CIS Controls". CIS. Retrieved 2022-11-08.
  4. "CIS Critical Security Controls Implementation Groups". CIS. Retrieved 2022-11-08.
  5. X.800 : Security architecture for Open Systems Interconnection for CCITT applications
  6. ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture)
  7. William Stallings Crittografia e sicurezza delle reti Seconda edizione ISBN   88-386-6377-7 Traduzione Italiana a cura di Luca Salgarelli di Cryptography and Network security 4 edition Pearson 2006
  8. Securing information and communications systems: principles, technologies, and applications Steven Furnell, Sokratis Katsikas, Javier Lopez, Artech House, 2008 - 362 pages
  9. "Security Breach Notification Chart". Perkins Coie. Retrieved 2020-03-18.
  10. "Security Breach Notification Laws". www.ncsl.org. Retrieved 2020-03-18.
  11. "ts jurisdiction". Threat Sketch. Retrieved 2020-03-18.