Security controls

Last updated November 12, 2024

Security controls or security measures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.^[1] In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Types of security controls
Information security standards and control frameworks
International Standards Organization
U.S. Federal Government information security standards
Commercial Control Sets
Telecommunications
Data liability (legal, regulatory, compliance)
Business control frameworks
See also
References
External links

Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.

Types of security controls

Security controls can be classified by various criteria. For example, controls can be classified by how/when/where they act relative to a security breach (sometimes termed control types):

Preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;
Detective controls are intended to identify, characterize, and log an incident e.g. isolating suspicious behavior from a malicious actor on a network;^[2]
Compensating controls mitigate ongoing damages of an active incident, e.g. shutting down a system upon detecting malware.
After the event, corrective controls are intended to restore damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.

Security controls can also be classified according to the implementation of the control (sometimes termed control categories), for example:

Physical controls - e.g. fences, doors, locks and fire extinguishers;
Procedural or administrative controls - e.g. incident response processes, management oversight, security awareness and training;
Technical or logical controls - e.g. user authentication (login) and logical access controls, antivirus software, firewalls;
Legal and regulatory or compliance controls - e.g. privacy laws, policies and clauses.

Information security standards and control frameworks

Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known standards are outlined below.

International Standards Organization

ISO/IEC 27001:2022 was released in October 2022. All organizations certified to ISO 27001:2013 are obliged to transition to the new version of the Standard within 3 years (by October 2025).

The 2022 version of the Standard specifies 93 controls in 4 groups:

A.5: Organisational controls
A.6: People controls
A.7: Physical controls
A.8: Technological controls

It groups these controls into operational capabilities as follows:

Governance
Asset management
Information protection
Human resource security
Physical security
System and network security
Application security
Secure configuration
Identity and access management
Threat and vulnerability management
Continuity
Supplier relationships security
Legal and compliance
Information security event management; and
Information_security_assurance

The previous version of the Standard, ISO/IEC 27001, specified 114 controls in 14 groups:

A.5: Information security policies
A.6: How information security is organised
A.7: Human resources security - controls that are applied before, during, or after employment.
A.8: Asset management
A.9: Access controls and managing user access
A.10: Cryptographic technology
A.11: Physical security of the organisation's sites and equipment
A.12: Operational security
A.13: Secure communications and data transfer
A.14: Secure acquisition, development, and support of information systems
A.15: Security for suppliers and third parties
A.16: Incident management
A.17: Business continuity/disaster recovery (to the extent that it affects information security)
A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws.

U.S. Federal Government information security standards

The Federal Information Processing Standards (FIPS) apply to all US government agencies. However, certain national security systems, under the purview of the Committee on National Security Systems, are managed outside these standards.

Federal information Processing Standard 200 (FIPS 200), "Minimum Security Requirements for Federal Information and Information Systems," specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in NIST Special Publication SP 800-53.

FIPS 200 identifies 17 broad control families:

AC Access Control
AT Awareness and Training
AU Audit and Accountability
CA Security Assessment and Authorization (historical abbreviation)
CM Configuration Management
CP Contingency Planning
IA Identification and Authentication
IR Incident Response
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
PL Planning
PS Personnel Security
RA Risk Assessment
SA System and Services Acquisition
SC System and Communications Protection
SI System and Information Integrity

National Institute of Standards and Technology

NIST Cybersecurity Framework

A maturity based framework divided into five functional areas and approximately 100 individual controls in its "core."

NIST SP-800-53

A database of nearly one thousand technical controls grouped into families and cross references.

Starting with Revision 3 of 800-53, Program Management controls were identified. These controls are independent of the system controls, but are necessary for an effective security program.
Starting with Revision 4 of 800-53, eight families of privacy controls were identified to align the security controls with the privacy expectations of federal law.
Starting with Revision 5 of 800-53, the controls also address data privacy as defined by the NIST Data Privacy Framework.

Commercial Control Sets

COBIT5

A proprietary control set published by ISACA.^[3]

Governance of Enterprise IT
- Evaluate, Direct and Monitor (EDM) – 5 processes
Management of Enterprise IT
- Align, Plan and Organise (APO) – 13 processes
- Build, Acquire and Implement (BAI) – 10 processes
- Deliver, Service and Support (DSS) – 6 processes
- Monitor, Evaluate and Assess (MEA) - 3 processes

CIS Controls (CIS 18)

Formerly known as the SANS Critical Security Controls now officially called the CIS Critical Security Controls (COS Controls).^[4] The CIS Controls are divided into 18 controls.

CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 11: Data Recovery
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skills Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security
CIS Control 17: Incident Response Management
CIS Control 18: Penetration Testing

The Controls are divided further into Implementation Groups (IGs) which are a recommended guidance to prioritize implementation of the CIS controls.^[5]

Telecommunications

In telecommunications, security controls are defined as security services as part of the OSI model:

ITU-T X.800 Recommendation.
ISO ISO 7498-2

These are technically aligned.^[6]^[7] This model is widely recognized.^[8]^[9]

Data liability (legal, regulatory, compliance)

The intersection of security risk and laws that set standards of care is where data liability are defined. A handful of databases are emerging to help risk managers research laws that define liability at the country, province/state, and local levels. In these control sets, compliance with relevant laws are the actual risk mitigators.

Perkins Coie Security Breach Notification Chart: A set of articles (one per state) that define data breach notification requirements among US states.^[10]
NCSL Security Breach Notification Laws: A list of US state statutes that define data breach notification requirements.^[11]
ts jurisdiction: A commercial cybersecurity research platform with coverage of 380+ US State & Federal laws that impact cybersecurity before and after a breach. ts jurisdiction also maps to the NIST Cybersecurity Framework.^[12]

Business control frameworks

There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including:

SSAE 16
ISAE 3402
Payment Card Industry Data Security Standard
Health Insurance Portability and Accountability Act
COBIT 4/5
CIS Top-20
NIST Cybersecurity Framework

Related Research Articles

Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible, or intangible. Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

ISACA is an international professional association focused on IT governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. ISACA currently offers 8 certification programs, as well as other micro-certificates.

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

The ISO/IEC 27000 family comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

MEHARI is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals.

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally intended for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to the operation of security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

The Risk Management Framework (RMF) is a United States federal government guideline, standard, and process for managing risk to help secure information systems, developed by the National Institute of Standards and Technology (NIST). The RMF provides a structured process that integrates information security, privacy, and risk management activities into the system development life cycle.

IT risk management is the application of risk management methods to information technology in order to manage IT risk. Various methodologies exist to manage IT risks, each involving specific processes and steps.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S. National Institute of Standards and Technology (NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management.

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

Cybersecurity engineering is a tech discipline focused on the protection of systems, networks, and data from unauthorized access, cyberattacks, and other malicious activities. It applies engineering principles to the design, implementation, maintenance, and evaluation of secure systems, ensuring the integrity, confidentiality, and availability of information.

References

↑ "What are Security Controls?". www.ibm.com. Retrieved 2020-10-31.
↑ "Detective controls". AWS. Dec 12, 2022.
↑ "COBIT Framework | Risk & Governance | Enterprise IT Management - ISACA". cobitonline.isaca.org. Retrieved 2020-03-18.
↑ "The 18 CIS Controls". CIS. Retrieved 2022-11-08.
↑ "CIS Critical Security Controls Implementation Groups". CIS. Retrieved 2022-11-08.
↑ X.800 : Security architecture for Open Systems Interconnection for CCITT applications
↑ ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture)
↑ William Stallings Crittografia e sicurezza delle reti Seconda edizione ISBN 88-386-6377-7 Traduzione Italiana a cura di Luca Salgarelli di Cryptography and Network security 4 edition Pearson 2006
↑ Securing information and communications systems: principles, technologies, and applications Steven Furnell, Sokratis Katsikas, Javier Lopez, Artech House, 2008 - 362 pages
↑ "Security Breach Notification Chart". Perkins Coie. Retrieved 2020-03-18.
↑ "Security Breach Notification Laws". www.ncsl.org. Retrieved 2020-03-18.
↑ "ts jurisdiction". Threat Sketch. Retrieved 2020-03-18.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "What are Security Controls?". www.ibm.com. Retrieved 2020-10-31.

[2] "Detective controls". AWS. Dec 12, 2022.

[3] "COBIT Framework | Risk & Governance | Enterprise IT Management - ISACA". cobitonline.isaca.org. Retrieved 2020-03-18.

[4] "The 18 CIS Controls". CIS. Retrieved 2022-11-08.

[5] "CIS Critical Security Controls Implementation Groups". CIS. Retrieved 2022-11-08.

[x800-6] X.800 : Security architecture for Open Systems Interconnection for CCITT applications

[7] ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture)

[Stal-8] William Stallings Crittografia e sicurezza delle reti Seconda edizione ISBN 88-386-6377-7 Traduzione Italiana a cura di Luca Salgarelli di Cryptography and Network security 4 edition Pearson 2006

[FURNELL-9] Securing information and communications systems: principles, technologies, and applications Steven Furnell, Sokratis Katsikas, Javier Lopez, Artech House, 2008 - 362 pages

[10] "Security Breach Notification Chart". Perkins Coie. Retrieved 2020-03-18.

[11] "Security Breach Notification Laws". www.ncsl.org. Retrieved 2020-03-18.

[12] "ts jurisdiction". Threat Sketch. Retrieved 2020-03-18.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]