Controls are put into place to reduce the risk an organization faces, and they come in three main flavors: administrative, technical, and physical.
Administrative controls are commonly referred to as “soft controls” because they are more management oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training.
Technical controls (also called logical controls) are software or hardware components, as in firewalls, IDS, encryption, and identification
and authentication mechanisms.
Physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting.
These control types need to be put into place to provide defense-in-depth, which is the coordinated use of multiple security controls in a layered approach. A multilayered defense system minimizes the probability of successful penetration and compromise because an attacker would have to get through several different types of protection mechanisms before she gained access to the critical assets.
For example, Company A can have the following physical controls in place that work in a layered model:
- Fence
- Locked external doors
- Closed-circuit TV
- Security guard
- Locked internal doors
- Locked server room
- Physically secured computers (cable locks)
Technical controls that are commonly put into place to provide this type of layered approach are:
- Firewalls
- Intrusion detection system
- Intrusion prevention systems
- Antimalware
- Access control
- Encryption
The types of controls that are actually implemented must map to the threats the company faces, and the number of layers that are put into place must map to the sensitivity of the asset. The rule of thumb is the more sensitive the asset, the more layers of protection that must be put into place.
So the different categories of controls that can be used are administrative, technical, and physical.
But what do these controls actually do for us? We need to understand the different functionalities that each control type can provide us in our quest to secure our environments.
The different functionalities of security controls are preventive, detective, corrective, deterrent, recovery, and compensating.
By having a better understanding of the different control functionalities, you will be able to make more informed decisions about what controls will be best used in specific situations.
The six different control functionalities are as follows:
- Preventive – intended to avoid an incident from occurring
- Detective – helps identify an incident’s activities and potentially an intruder
- Corrective – fixes components or systems after an incident has occurred
- Deterrent – intended to discourage a potential attacker
- Recovery – intended to bring the environment back to regular operations
- Compensating – controls that provide an alternative measure of control
Once you understand fully what the different controls do, you can use them in the right locations for specific risks.
When looking at a security structure of an environment, it is most productive to use a preventive model and then use detective, corrective, and recovery mechanisms to help support this model. Basically, you want to stop any trouble before it starts, but you must be able to quickly react and combat trouble if it does find you. It is not feasible to prevent everything; therefore, what you cannot prevent, you should be able to quickly detect.
That’s why preventive and detective controls should always be implemented together and should complement each other. To take this concept further: what you can’t prevent, you should be able to detect, and if you detect something, it means you weren’t able to prevent it, and therefore you should take corrective action to make sure it is indeed prevented the next time around.
Therefore, all three types work together: preventive, detective, and corrective.
The control types described next (administrative, physical, and technical) are preventive in nature. These are important to understand when developing an enterprise-wide security program.
Preventive: Administrative
- Policies and procedures
- Effective hiring practices
- Pre-employment background checks
- Controlled termination processes
- Data classification and labeling
- Security awareness
Preventive: Physical
- Badges, swipe cards
- Guards, dogs
- Fences, locks, mantraps
Preventive: Technical
- Passwords, biometrics, smart cards
- Encryption, secure protocols, call-back systems, database views, constrained user interfaces
- Antimalware software, access control lists, firewalls, intrusion prevention system
This is how this train of thought usually takes place: “A firewall is a preventive control, but if an attacker knew that it was in place it could be a deterrent.” Let’s stop right here. Do not make this any harder than it has to be. When trying to map the functionality requirement to a control, think of the main reason that control would be put into place. A firewall tries to prevent something bad from taking place, so it is a preventative control. Auditing logs is done after an event took place, so it is detective. A data backup system is developed so that data can be recovered; thus, this is a recovery control. Computer images are created so that if software gets corrupted, they can be reloaded; thus, this is a corrective control.
One control functionality that some people struggle with is a compensating control. Let’s look at some examples of compensating controls to best explain their function. If your company needed to implement strong physical security, you might suggest to management that they employ security guards. But after calculating all the costs of security guards, your company might decide to use a compensating (alternative) control that provides similar protection but is more affordable – as in a fence.
In another example, let’s say you are a security administrator and you are in charge of maintaining the company’s firewalls. Management tells you that a certain protocol that you know is vulnerable to exploitation has to be allowed through the firewall for business reasons.
The network needs to be protected by a compensating (alternative) control pertaining to this protocol, which may be setting up a proxy server for that specific traffic type to ensure that it is properly inspected and controlled. So a compensating control is just an alternative control that provides similar protection as the original control but has to be used because it is more affordable or allows specifically required business functionality.
Several types of security controls exist, and they all need to work together.
The complexity of the controls and of the environment they are in can cause the controls to contradict each other or leave gaps in security. This can introduce unforeseen holes in the company’s protection that are not fully understood by the implementers. A company may have very strict technical access controls in place and all the necessary administrative controls up to snuff, but if any person is allowed to physically access any system in the facility, then clear security dangers are present within the environment.
Together, these controls should work in harmony to provide a healthy, safe, and productive environment.
International Information Security Standards
ISO/IEC 27001 specifies 114 controls in 14 groups:
- A.5: Information security policies
- A.6: How information security is organized
- A.7: Human resources security – controls that are applied before, during, or after employment.
- A.8: Asset management
- A.9: Access controls and managing user access
- A.10: Cryptographic technology
- A.11: Physical security of the organization’s sites and equipment
- A.12: Operational security
- A.13: Secure communications and data transfer
- A.14: Secure acquisition, development, and support of information systems
- A.15: Security for suppliers and third parties
- A.16: Incident management
- A.17: Business continuity/disaster recovery (to the extent that it affects information security)
- A.18: Compliance – with internal requirements, such as policies, and with external requirements, such as laws.
U.S. Federal Government Information Security Standards
The Federal Information Processing Standards (FIPS) apply to all US government agencies. However, certain national security systems under the purview of the Committee on National Security Systems are managed outside these standards.
Federal Information Processing Standard 200 (FIPS 200), “Minimum Security Requirements for Federal Information and Information Systems”, specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in NIST Special Publication SP 800-53.
FIPS 200 identifies 17 broad control families:
- AC Access Control.
- AT Awareness and Training.
- AU Audit and Accountability.
- CA Security Assessment and Authorization. (historical abbreviation)
- CM Configuration Management.
- CP Contingency Planning.
- IA Identification and Authentication.
- IR Incident Response.
- MA Maintenance.
- MP Media Protection.
- PE Physical and Environmental Protection.
- PL Planning.
- PS Personnel Security.
- RA Risk Assessment.
- SA System and Services Acquisition.
- SC System and Communications Protection.
- SI System and Information Integrity.
Starting with Revision 3 of 800-53, Program Management controls were identified. These controls are independent of the system controls but are necessary for an effective security program.
Starting with Revision 4 of 800-53, eight families of privacy controls were identified to align the security controls with the privacy expectations of federal law.
Telecommunications
In telecommunications, security controls are defined as Security services as part of the OSI Reference model
- ITU-T X.800 Recommendation
- ISO ISO 7498-2
These are technically aligned. This model is widely recognized.
Business Control Frameworks
There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including:
- SSAE 16
- ISAE 3402
- Payment Card Industry Data Security Standard
- Health Insurance Portability and Accountability Act