Stay up to date
Stay up to date with the latest threat reports, articles & mistakes to avoid.
Simple, yet important content.
No salesy pitches and all that, promise!
Security controls can be physical or virtual, policies, training, techniques, methodologies, action plan, devices, and customised solutions to avoid, detect, and prevent intruders and minimise the security risk befalling the individual or organisational proprietary information systems, etc.
In this topic, we will explore the basics of security controls, the types of security controls, and common information security controls in use today.
What is security control?
Security control is a parameter and action that an organisation executes to protect data and sensitive information from invasion and various cyber attacks and reduce and mitigate existing security risk or threats on critical assets (i.e., data, system, or network).
Antivirus software, Host-based IDS, SIEM solutions, hardware or software firewalls, surveillance systems, security guards, smart door locks, etc., are some of the significant examples of security controls.
Confidentiality Integrity and Availability
CIA triad, known as confidentiality, integrity, and availability, makes the core of information security principles. Data protection risks are calculated based on the attack likelihood and attack impact on each of these principles. The security controls responsible for protecting data are validated and improved after considering these three principles of information security.
What is the purpose of security controls?
The fundamental purpose of having appropriate cyber security controls is to reduce the outcome and probability of cyber security incidents. In addition, information or cyber security controls help ensure that all the necessary and required actions are in place to hold the businesses proprietary information’s CIA triad.
Along with the protection against cyber threats, security controls majorly help linger away from hefty fines and penalties that regulatory bodies such as the General Data Protection Regulation (GDPR) impose 20 million to 4% global turnover in case of cyber attack ending in sensitive data exposure.
To cope with the security controls and guarantee countermeasures are in place, data protection regulatory bodies have shared the guidelines and make it mandatory for organisations to implement relevant information security controls for robust data and assets protection.
The pandemic and exponential growth of online businesses have greatly influenced the cybersphere. 77% of large enterprises that utilise network-connected devices for their day-to-day activity saw an increased cyber attack by 67% in 2020 that too in all economic sectors. Furthermore, according to the statistics, 83% of businesses encounter phishing email daily. All these factors have driven the average cost of data breach to 3.86 million globally.
In addition to the increased cyber attack ratio, the emerging technological landscape with the development of advanced IoT devices, 5G deployment, more and more threats and vulnerabilities are being encountered regularly in the form of 0-day vulnerabilities.
What are the types of security controls?
In the cyber security domain, there are a variety of security controls that facilitate guarding business assets. On a broad level, cyber security controls are classified on three function levels. Those are:
- Preventive Controls
- Detective Controls
- Corrective Controls
However, according to the controls’ nature and characteristics, the same cyber security controls can be categorised as
- Physical Controls
- Technical Controls
- Administrative Controls
- Compensating Controls
- Regulatory Controls
Now, let’s understand all of the information security controls individually.
Preventive Controls: Preventive security controls refer to the countermeasure limiting cyber events from happening and stopping the incident before they occur.
Antivirus, software firewalls, blocking malicious traffic communication, blocking unauthorised accesses are some examples of preventive controls.
Detective Controls: These controls refer to information security countermeasures that identify the cyber events and notify the concerned authorities about the real-time event or suspicious action in progress.
Log monitoring, security alerts, intruder alarms, SEIM solutions, Video surveillance, etc., are some examples of detective controls.
Corrective Controls: These information security controls are those countermeasures that every organisation must have in advance. This control refers to the actions and plans that help reduce the impact and damage of the data breach or any cyber incident. These controls are a kind of response or recovery control that facilitates the business to continue its operation with minimum downtime.
Incident response plan, backup, etc., are some of the corrective controls examples.
Physical Controls: Physical controls prevent unauthorised physical access and enhance physical security to sensitive assets and data.
Depending upon the implementation nature, the physical controls can include physical security keys, security guards, perimeter fences, surveillance cameras, IDS (Intrusion detection sensors), access control cards, digital access cards, and biometric access controls, motion or thermal alarm systems and any related physical security control systems.
Technical Control: Technical controls are sometimes referred to as logical controls in information security. Such security controls utilise technical measures to mitigate risks and reduce vulnerabilities exposure in the real world. Depending upon the countermeasure, these controls can be automated software tools, technical configuration, or any physical device.
Network traffic filters to block malicious traffic or control incoming, outgoing traffic, Access control list on routers, firewall, server, host to manage and maintain access to devices and network, secure configuration to manage operation and access are some of the primary examples of technical controls.
Furthermore, some mechanism such as user authentication, password management, data encryption, antivirus, software firewalls, anti-malware, SIEM (Security Information and Event Management), IDS (Intrusion Detection System), IPS (Intrusion Prevention Systems), network authentication, file integrity auditing software is used explicitly for technical controls.
Administrative Controls: Administrative controls refers to the security measures associated with human factors. It involves procedures, policies, awareness, training, guidelines and best practices, frameworks and standards that organisations and their employees follow individually to meet the business security goals.
These information security controls address how well an organisation and individuals possess the security awareness and are prepared to prevent, detect and correct cyber incidents on their defined level. It includes resource management, disaster recovery plan, security training, implementation of security culture and policies following the business objectives, remediation of risk and other relative events.
Compensating/Alternative Controls: Such information security controls refer to those countermeasures used as a substitute for the time being to fulfil the necessity of demanded security measures or reduce the business risk. The compensated controls are often used due to financial limitation, infrastructure complexity, impractical implementation, or limited remediation time frame.
Regulatory Security Controls: Regulatory controls refers to the countermeasures that are made mandatory by the legal and regulatory bodies such as PCI-DSS, GDPR, HIPAA, ISO 27001 to meet the compliance requirements. It includes making relevant policies within the organisation to address data security and protection, individual privacy, security awareness, cyber assessments.
What are common security controls?
Numerous cyber security controls frameworks and standards, and best practices guidelines ease the organisation in identifying and rectifying vulnerabilities with security controls implementation. Some of the common cyber security controls frameworks are:
National Institute of Standards and Technology (NIST) Framework – Special Publication 800-53
The National Institute of Standards and Technology (NIST) Framework facilitates small to big enterprises by providing them guidance on whether their implemented security controls are implemented correctly, working as intended, and producing the desired outcome or not. In addition, NIST helps the organisation understand and manage the security risk while preventing, detecting and responding to cyber attacks.
NIST has various publications to address cyber risk and attack management, one of them is NIST Special Publication 800-53, which provides security and privacy controls for US information systems. National Institute of Standards and Technology (NIST) issues standards and procedures to help the organisation manage the cost-effective solution to protect their data and assets.
Center for Internet Security (CIS) Top 18
Center of Internet Security controls, famous as CIS controls, is a non-profit organisation security framework and standard that helps small, mid and large businesses to protect their information systems and minimise the attack surface from internet and physical threats. CIS helps businesses design a protected cyber surface for their online activities with security controls. It is a set of 18 cyber security best practices guidelines to prevent intrusion and battle cyber threats.
Center for Internet security controls provides real-world risk management and cost-effective, practical measurements to make information systems and assets resilient against known-unknown cyber attack. The prioritised 18 controls assist the organisation build a solid foundation. With the appropriate implementation of Top 18 CIS controls, an organisation can mature their security posture and significantly increase its secure growth, mitigating multiple attack vectors.
Discuss your concerns today
Cyber Essentials Scheme
Cyber Essential Scheme is a UK government-supported framework issued by the National Cyber Security Center, which helps Small-midsize businesses to large enterprises to protect against the most common cyber attacks with five sets of basic information security controls. By adhering to the five necessary security control areas, an organisation can prepare itself by uplifting its security posture and reduce risks. These five control areas are:
- Secure configuration
- User access control
- Malware protection
- Patch management
Another level of the certification known as Cyber Essentials Plus contains onsite audits and coverage across more areas such as secure communication and secure hardening standards.
Control Objectives for Information and Related Technologies (COBIT)
COBIT is an information system and technological controls created by ISACA to manage IT system and governance utilities. It offers practical guidance, training, resources, regulation and best practices to enhance its online and physical security.
COBIT framework aligns the IT objectives with the business requirements, offers practical solutions and management with each of the IT processes, assigns responsibilities and helps to address the gaps with cost-effective solutions and capabilities.
PAS 555 is another cyber security framework, but unlike other frameworks, it provides physical, behavioural, governance, and cultural guidance along with the technical guidance aspect. As a result, this framework dramatically helps to identify security control gaps, potential weak points within the organisation’s information systems and its supply chain.
PAS 555 guides businesses of all sizes and domains, including SMB, startups, large enterprises, public sector, non-profit, commercial, etc. It develops the businesses resiliency capabilities by improving incident response and management plans, remediating risk and providing adaptable approaches in enhancing the business process with relevant security requirements.
Minimum Cyber Security Standard (MCSS)
Minimum cyber security standards are one of the common and fundamental security control policies introduced by the United Kingdom (UK) government relevant to the National Institute of Standards and Technology security (NIST) framework in 2018. This is one of the common standards in the UK that serves security control with the five fundamental functions and mandates all government departments, agencies to incorporate relevant security controls around the five functions in their business strategy.
The MCSS sets the security requirements for all sizes of organisation and business and presents guidelines for solid and sound security posture.
Security Controls Assessment
Cyber security control assessment greatly helps an organisation analyse security gaps and attack surface and determine the current security position. Through the security control assessment result, the management and security teams can design customised security controls. However, there is no hard and fast rule for security control assessment.
By evaluating the result of all the preventative, detective, corrective, technical security controls, they can determine whether the current security measures are working according to their intended operation. Along with it, the security control testing evaluates the overall Information Security Management System and decides whether or not they are appropriate enough to combat cyber attack and resilient to any security incident or not.
Depending upon the organisation size and business nature, an organisation can follow security industry best practices, frameworks and standards to conduct the information security control assessment or create their own security assessment by undertaking the following critical steps in their security control assessment procedure.
Step # 1: Determine the targeted network
To analyse the security controls on the organisation assets and data, firstly, determine which system’s security controls you want to evaluate. Then, create a list of all IP addresses connected to your network, information systems, devices in the organisation network and infrastructure.
Step # 2: Determine the targeted application:
Once you determine the network, step ahead with selecting the application and services which security controls you want to assess. For this, list down all the services, web servers, web application, databases, technologies, devices, web-app servers, third-party components and other related things connected or used in building the organisation’s network, infrastructure and application.
Step # 3: Choose relevant security testing
This is the critical step in the cyber security control assessments. At this point, you perform actual cyber security testing on your targeted network and application. But, again, it depends on the organisation whether they want to perform one security testing or multiple, following what the security testing organisation can do to evaluate the posture of current security controls.
a) Vulnerability Assessment
Vulnerability assessment is a systematic approach to identify risk and security weakness in an information system (i.e., computer network, server, network device, application and other components of the IT ecosystem). It is a critical and fundamental approach to any security testing and helps evaluate the system.
Vulnerability assessment is done by automated tools to locate potential threats and weak access points in the organisation’s infrastructure, leading to risk exposure or leveraging the attacker in gaining access. In addition to this, it greatly helps in risk management by evaluating how susceptible the system is to known vulnerabilities and threats.
b) Penetration Testing
Penetration Testing, also known as pen-test, is a simulated cyber attack techniques organisation use as a defensive approach to test their network, web application, cloud infrastructure, embedded and IoT devices to identify potential vulnerabilities that can be exploited either alone or by chained up with other flaws.
The pen-test primary goal is to discover the existing weak point in the targeted assets and prevent cybercriminals and intruders from gaining access to the network, system or application. In addition, it evaluates whether the organisation’s security policies and controls are adequate and working as defined.
c) Security Audit
Security Audit is another systematic evaluation of an organisation’s Information Security Management system. Unlike other technical testing, security audits evaluate how well the organisation’s assets security controls conform to the regulatory bodies established criteria.
It is typically performed to determine the business nature compliances with the regulations and laws such as GDPR, HIPAA, SOX, etc., identify security gaps and weaknesses, compliances with the organisation’s internal policies, the effectiveness of security training and culture, and many more.
Thorough security audits assess the security controls by considering devices and software configurations, information handling processes and practices, data storage techniques, internal and external data transmission, and other necessary security requirements.
d) Risk Assessment
A cyber risk assessment is a process of evaluating information security assets that might be affected by a potential cyber attack. The risk assessment identifies and prioritises vulnerable holdings concerning risk rate, probability of threat exposure, and attack occurrence.
It is typically done after getting penetration testing, vulnerability assessment or other security testing followed by selecting controls to treat the identified risks. Finally, the assessment evaluates adversarial opportunities and removes or minimises their level by following a risk management plan according to their security requirements and urgency.
e) Log Review and Analysis
Log management and review are other critical parts while performing cyber security control assessment. The defensive system and solutions generate logs. The purpose of developing a log is to highlight and notify events such as incorrect login, malware detection, password change, file movement, DoS attack, new user accounts, etc by generating a flag when some abnormal event occurs.
Log analysis provides visibility and enhances capabilities to identify the cyber threats and malicious traffic coming to the host network. Later, it facilitates responding to cyber threats. With the log management system, the security team, system administrators, and overall organisation can monitor their traffic to diagnose and rectify the issues. In addition, regular log monitoring reduces the likelihood and severity of cyber attacks and promotes earlier threat management culture within the organisation.
Discuss your concerns today
Step# 4: Other Elements
Disaster Recovery Plan- This is one of the security controls organisations should have as a part of their business continuity strategy. While performing the security control assessment, look out whether the business has an appropriate incident response and recovery plan included in its cyber strategy or not.
The disaster recovery plan is something every organisation can use to restore important data and service, not only in cyber attacks but also in any natural disaster or mishap. An established incident and disaster recovery plan help an organisation continue the business during an investigation or downtime with minimal loss.
Backup- Similar to incident response and disaster recovery plan, having a backup for all important and sensitive data is as necessary as having an appropriate disaster recovery plan. During information security control assessment or implementation, ensure a backup plan to avoid data loss.
The backup data must be encrypted, updated and must be tested for successful restoration. Regular backup saves organisations from ransomware attacks, system failure and other natural incidents.
Patch Management- In the security control assessment, it is important to verify the patch management process. For example, identify how the updates are distributed, whether the update can be forged or not, etc. In addition, if your organisation built and utilises its own software instead of third parties, then it is essential for the business to promptly patch the system and application as soon as any vulnerability is discovered.
For this, you have to implement and maintain security controls for the patch management, too, because any unpatched bug can let the attacker compromise the other security controls. Thus, your single negligence will collapse the overall security posture of your organisation.
Step# 5: Reporting
Regardless of which security assessment any organisation chooses, all assessment results drive some of the weak points that can provide an opportunity to threat actors. In the reporting stage of security control assessment, you must compile and prioritise all security requirements and vulnerable points according to their importance to business security. Once you make a list, you can easily identify the missing controls or required controls.
Not every risk can be mitigated with information security controls, and oftentimes you have to bear the risk due to financial limitation or complexity in remediation. Therefore, security practitioners can only make the right approach to security controls implementation as they know how to implement required security controls to meet the objective of businesses and regulatory demands.
The end goal of cyber security control assessment to align the business objective and control’s objective with the three principles, i.e. CIA triad of information security. At cyphere, our security specialists have a wealth of experience in securing the cypher sphere with the proper security controls. Whether it is your on-prem infrastructure or cloud service model, we cater both through our regular assessment and managed security service to elevate the business’ overall cyber security position.