What are security controls?
- measures and safeguards implemented to protect information assets and mitigate security risks
- help organizations enforce security policies, manage vulnerabilities, and safeguard their systems and data
What is the difference between safeguards and countermeasures?
- safeguards are proactive
- countermeasures are reactive
What are the 3 different types of controls?
- Administrative Controls
- Technical Controls
- Physical Controls
Describe Administrative Controls
- include policies, procedures, guidelines, and security awareness training that govern the organization’s security posture
- examples include acceptable use, password management, data classification, incident response, and employee onboarding/offboarding procedures
Describe Technical Controls
- involve the implementation of hardware, software, and technologies to protect information systems
- examples: firewalls, encryption mechanisms, access control mechanisms, antivirus software, secure configurations, and network segmentation
Describe Physical Controls
- encompass measures to protect physical assets and the physical environment in which information systems operate
- examples: physical access controls, video surveillance, secure facilities, environmental controls (such as temperature and humidity regulation), and secure disposal of sensitive materials
What are security controls often based on?
- control objectives and frameworks that provide a structured approach to security implementation
What are examples of security control frameworks?
- NIST SP 800-53
- ISO/IEC 27001
- CIS Controls
Which NIST publication covers the assessment of security and privacy controls?
NIST SP 800-53
What is required for ensuring effectiveness of the security controls?
- regular control assessments and audits
- ongoing monitoring, maintenance, and update
What are the 6 security control types?
Name them in order.
- Deterrent
- Preventative
- Detective
- Compensating
- Corrective
- Recovery
Describe Deterrent security control type
Name an example
- intended to discourage potential attackers or unauthorized individuals from attempting to exploit vulnerabilities or engage in malicious activities
- prominent signage indicating the presence of video surveillance, security guards patrolling premises, visible locks or barriers
Describe Preventative security control type
Name an example
- deployed to stop or thwart unwanted or unauthorized activity from occurring
- access control mechanisms (e.g., strong authentication, user permissions), firewalls, IPS, encryption, secure coding practices
Describe Detective security control type
Name an example
- put in place to identify or detect security incidents or unauthorized activities that have already occurred
- security monitoring systems, IDS, log analysis tools, security incident and event management (SIEM) systems, security audits, mandatory vacation or job rotation
Describe Compensating security control type
Name an example
- alternative measures implemented to address the deficiencies or limitations of primary security controls
- provides options to other existing controls
- put in place when it is not feasible or practical to implement the originally planned controls or when existing controls are unable to fully meet the security requirements
- example:
- organization has a security policy that requires all employees to encrypt sensitive data when transmitting it over the network
- due to technical limitations in the existing infrastructure, the organization is unable to implement encryption on the network devices directly
- admins configure a VPN solution, that encrypts all network traffic between employee devices and the organization’s network
Describe Corrective security control type
Name an example
- modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred
- implemented to address identified security incidents, vulnerabilities, or deficiencies after they have been discovered
- example: antivirus that removes detected malware
Describe Recovery security control type
Name an example
- extension of corrective controls but have more advanced and complex abilities
- designed to facilitate the recovery and restoration of critical systems, operations, and data following a disruptive event
- example: intitiating failover
Describe Directive security control type
Name an example
- direct, confine or control the actions of subjects to encourage compliance with security policies
- often policy-based and establish mandatory guidelines that employees and stakeholders must follow
- password length complexity
Which security control is likely driven by a legal requirement?
retention policy
Which security control can detect that an employee is engaging in an illegal activity over a period of time?
mandatory vacation, during which employee’s privileges are revoked
What’s the name for the degree of confidence that an organization has that its security controls are correcctly implemented?
assurance
What technique is most frequently used to assess security awarness?
surveys
What purpose are the CIS benchmarks frequently used for in organizations?
- baselining
- CIS benchmarks are configuration baselines that are frequently used to assess the security settings or configuration for devices and software
A significant benefit of a security control is when it goes unnoticed by users. What is this called?
transparency
-
Security Policies and Governance19
-
Risk Management78
-
Security Controls27
-
Information Security Legal and Regulatory Issues96
-
Business Continuity (BC) and Business Impact Analysis (BIA)53
-
Senior Management Roles5
-
Formulas for Quantitative Risk Management Analysis26
-
Due Care and Due Diligence10
-
IT Management: Managing Supply Chain and Vendors8
-
IT Management: Contracts11
