At the core of information security is protecting organizational assets, including hardware, software, data, information and people against risks.
Any policies and actions taken to help reduce, eliminate or mitigate these risks to assets are called security control.
In this article, we will discuss about types of security controls that exist. But before we talk more about these, we need to understand the concept of control objectives and the basics of risks and threats.
Understanding the information security risk landscape
The overall information security risk has three sub-dimensions: risks, threats and vulnerabilities and finally security incidents.
Risk is basically the likelihood that an existing vulnerability may be exploited by a threat actor which may bring loss to the organization. The types of loss may be informational, reputational, financial or even loss of goodwill of the company.
A threat is any event that can affect the confidentiality, integrity or availability of information. Most threats are external in nature. However, internal threats like a recently terminated or disgruntled employee may also be not ignored. However, all internal threats may not be intentionally damaging. For example, an employee falling for a phishing email is not an intentional threat. Natural disasters are also threats.
A vulnerability is any flaw in the software, business processes, or hardware which can be compromised by a threat actor, resulting in a security incident.
A security incident is a successful or unsuccessful compromise of a vulnerability leading to loss of confidentiality, integrity or availability.
This explanation might have helped us understand the different concepts related to risk management. Now, we will look at what security controls are in cyber security and their different types to manage these risks.
What are Control Objectives
The types of it security controls and their detailed implementation are not arbitrarily selected without any thought.
At the root of selection of controls is a risk management process which takes into account all the assets, the risks they are exposed to and suggested controls to counter those risks. The control objectives, are determined prior to performing risk assessment and may be part of the information technology strategy and policies. These policy documents may have control objectives, expressed in terms of statements like:
- restrictions unauthorized access to a database
- backups will be ensured and tested regularly, etc
Types of Security Controls
The classification of security controls can be done in two either the type of controls or the functions they perform.
Security Control Types by Type:
There are three types of security controls based on the type. These are physical, technical and administrative.
Physical security controls:
Physical control is tangible controls that you can actually touch. These are usually the first-level controls that are designed and put in place to help detect unauthorized physical access to information processing facilities, servers/hardware and assets.
Some examples include access controls like biometrics, security guards, walls, gates, doors, and CCTVs. Sometimes environment-related controls like humidity and fire controls are also included as part of physical controls.
Technical security controls:
These are logical controls which may be using hardware or a software to protect information assets. Some of the well-known examples include authentication/authorization controls like passwords, antivirus software, firewalls, IPS/IDS and encryption measures etc.
Administrative security controls:
Administrative controls set the tone for security at an organization. These are policies, strategies, procedures and other practices that are directed at ensuring the protection of information and assets of an entity.
These also include HR controls like hiring/termination, segregation of duties, data classification guidance, logs review and auditing. Since the human element in security is considered the weakest link in a security management system, employee security awareness and training are also part of administrative security controls.
Security control types by function
Different controls perform different functions. We will describe the types of security controls by function and also share some examples of each.
These are the controls which are put in place to prevent a risk from being exploited in the first place. These are there to prevent security incidents. Some examples of preventative controls include hardening of operating systems, secure coding practices, physical boundary walls, providing security training and awareness and account disablement policy.
The second type of security controls by function is detective. These controls help identify if a security indecent happens. For example, exception reports which highlight the incidents that need to be probed further, log reviews, video surveillance and Intrusion detection systems are some of the well-known examples of detective controls.
This type of security controls is for corrective action when a security incident has already happened. For example, antivirus software is a good example, it works as a preventive, detective as well as corrective control at the same time. When an infected file is detected, it not only detects it but also eliminates the threat by either quarantining the file or deleting it.
These controls are put in place to deter a malicious event from happening. These are usually visible and in person. For example, fencing of data center or security patrols around it are examples of deterrent controls. Other examples include hardware locks, cable locks and guards etc.
During an information systems audit, if you see that an expected control is missing, some compensating control may be in place. For example, a new hire may not have been fully authenticated while using the system but they may be using time-based one-time passwords.
Similarly, electronic logs may not be implemented for access to a basic data center, but a well-kept logs register by a physically present guard at the entrance may be sufficient compensating control.
Key difference between preventative and detective controls
We need to understand that a preventative control is instituted before a vulnerability has been compromised with the idea to reduce or avoid the security incident from happening.
Detective control is put in place to detect attempts and attacks against information systems. A detective control can only identify events after they have happened, and preventative controls were either absent or were not robust enough.
Regular analysis of the resulting outputs of detective controls should help an organization further improve its preventative controls or implement new controls. The key goal of a security management system is to prevent threats from being successful because prevention is a lot better than cure.