While working in the area of information security, it is important to have an understanding of the common security standards or frameworks. While reading this article, you will obtain some knowledge of the controls specified by ISO/IEC 27001, the Federal Information Processing Standards (FIPS), the NIST cybersecurity framework and NIST Special Publication 800-53, as well as COBIT5.
Types of security controls
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.
Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.
Security controls can be classified by several criteria. For example, according to the time that they act, relative to a security incident:
- Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;
- During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;
- After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.
They can also be classified according to their nature, for example:
- Physical controls e.g. fences, doors, locks and fire extinguishers;
- Procedural controls e.g. incident response processes, management oversight, security awareness and training;
- Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls;
- Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.