Controls

Controls

  • A defense or countermeasure to put in place to manage risk.

  • Policies, strategies, technologies, configuration settings, etc. established in collaboration with various departments of an organization to help mitigate known risks.

  • The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be an administrative, technical, management, or legal nature.

Control Categories

  • Technical / Logical Controls

    • Implemented through technology.

    • May be deterrent, preventive, detective, or compensating.

    • Examples:

      • Patching

      • Firewalls, IDS/IPS

      • Access Controls

  • Administrative / Management Controls Purpose: to implement security policies based on procedures, standards, and guidelines.

  • Documents, policies, procedures, and guidelines.

    • Acceptable Use Policy

    • Incident Response Plan (IRP)

  • People/Personnel

    • Security Operations Center

    • Guards

    • Surveillance

  • Security Awareness Training

  • Physical / Operational Controls

    • Reduce the risk of harm coming to physical property, information, computer systems, or other assets.

    • Examples:

      • Hardened Facility

      • Locks

      • Badges

Control Types

  • Deterrent Controls

    • Intended to discourage individuals from intentionally violating security policies, procedures, or technologies.

    • Highly visible.

    • Prevent offenses or abuses by influencing choices.

  • Preventive Controls

    • Stop an unwanted event.

    • Proactive measures.

    • Examples:

      • Access, authentication, authorization, verification.

      • Separation of Duties

      • Technical Standards

      • Network Security - Firewalls, IPS

      • Internet Filtering

  • Detective Controls

    • Warning of anomalies or violations.

    • Automated or Manual

    • Reactive

    • Examples:

      • Cameras

      • Motion Sensors

      • Intrusion Detection System / SIEM

      • Audits

  • Corrective Controls

    • Measures to lessen harmful effects or restore the system being impacted.

    • Mostly reactive measures.

    • Examples:

      • Patching/Upgrades

      • Hardening (Physical / Logical)

      • Process Improvements

  • Compensating Control

    • Alternate controls that are intended to reduce the risk of an existing or potential control weakness.

    • Mechanism that satisfies a required security measure.

    • PCI DSS:

      • Meet the intent and rigor of the original stated requirement.

      • Provide a similar level of defense as the original requirement.

      • Be "above and beyond" other requirements.

      • Be commensurate with the additional risk imposed by not adhering to the requirement.

‚Äč