Security Controls for Dummies

Security controls are functions, counter-measures, processes, safeguards and other efforts to minimize any potential impact from security risks.

Security controls come in many different forms and categories:

  • Policy and procedures – define ways to do things, establish methodologies for processes
  • Proactive/Preventive controls – attempt to prevent security events from occurring
  • Monitoring/Detection controls – establish ways of monitoring systems and detecting problems
  • Corrective/Recovery control – attempt to limit the damage caused and help recover to normal operations rapidly

(a variety of these types and categories exist – most are variations of the same themes)

In everyday life, we use similar mechanisms constantly, but we don’t call them “controls”. When driving a car, we remind ourselves to check the fuel gage periodically to minimize the risk of running out of gas. We may also decide to store some extra gas in a can for backup. And we might decide to join an auto club that will bring gas to a stranded motorist or tow the car to a shop.

Reminding yourself to check the fuel gage is an example of a policy or procedure type control that establishes a way of doing things correctly. The intent is to always know when the fuel status is getting low so that you can refuel before you run out. Computer security policies and procedures are similar in that they outline the best methodologies for accomplishing good security practices. The process of actually checking the fuel gage could be considered both a proactive/preventive type control and a monitoring/detection control.

Keeping some extra gas in a can is an example of a corrective/recovery type control and so is joining the auto club. In computer security, similar controls include: making data backups, having backup power supplies, and having an incident response plan or a contingency plan.

Here are some examples of other common sense controls we use in everyday life and corresponding areas of security controls:

  • Locking the house doors at night [PHYSICAL SECURITY]
  • Buying some bottled water for emergencies [CONTINGENCY PLANNING]
  • Practice finding fire exits [AWARENESS AND TRAINING]
  • Keeping tax records [AUDIT AND ACCOUNTABILITY]
  • Testing an alarm system [SECURITY ASSESSMENT]
  • Putting several flashlights in easy to reach spots [CONFIGURATION MANAGEMENT]
  • Having a fire extinguisher [ENVIRONMENTAL PROTECTION]
  • Develop an emergency survival plan [SECURITY PLANNING]
  • Checking locks to see if they’ve been tampered with [SYSTEM INTEGRITY]

When we analyze how two sports teams will match up against each other, we don’t normally call it RISK MANAGEMENT, but in fact that is what we are practising. We do THREAT ASSESSMENT (the strengths of the other team) and VULNERABILITY ASSESSMENT (the weaknesses of our team) and we predict how they will balance against each other to produce a RISK ANALYSIS. Then we often propose strategies and counter-measures that can be used to mitigate that risk (SECURITY CONTROLS).

Here is a list of security controls that seem fairly simple and common sense oriented:

  • FLAW REMEDIATION (apply patches)
  • MONITORING (monitor your network)
  • INVENTORY (know what’s on your network)
  • BACKUPS (backup your data, have backup power)
  • CRYPTOGRAPHY (encrypt sensitive data)
  • ACCESS CONTROL (control access)
  • AUDIT LOGS (keep track of who did what)
  • CONTINGENCY PLAN (have an emergency plan)
  • RISK ASSESSMENT (balance threats and vulnerabilities)

Security Controls – Tool for Your Gameplan
Security Control Matrix
Introduction to 800-53 Controls

Comments are closed.