Computer security is often divided into three distinct master categories, commonly referred to as controls:
Physical
Technical
Administrative
These three broad categories define the main objectives of proper security implementation. Within these controls are sub-categories that further detail the controls and how to implement them.
1.2.1. Physical Controls
Physical control is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material. Examples of physical controls are:
Closed-circuit surveillance cameras
Motion or thermal alarm systems
Security guards
Picture IDs
Locked and dead-bolted steel doors
Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods used to recognize individuals)
1.2.2. Technical Controls
Technical controls use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure and over a network. Technical controls are far-reaching in scope and encompass such technologies as:
Encryption
Smart cards
Network authentication
Access control lists (ACLs)
File integrity auditing software
1.2.3. Administrative Controls
Administrative controls define the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information by such means as:
Training and awareness
Disaster preparedness and recovery plans
Personnel recruitment and separation strategies
Personnel registration and accounting
What is Management Security?
Management security is the overall design of your controls. Sometimes referred to as administrative controls, these provide the guidance, rules, and procedures for implementing a security environment.
What is Operational Security?
Operational Security is the effectiveness of your controls. Sometimes referred to as technical controls, these include access controls, authentication, and security topologies applied to networks, systems, and applications.
What is Physical Security?
Physical security is the protection of personnel, data, hardware, etc., from physical threats that could harm, damage, or disrupt business operations or impact the confidentiality, integrity, or availability of systems and/or data.
What are Security Controls?
Learn how security controls help protect your data and IT infrastructure, and find resources and best practices for developing and implementing security controls in your organization.
What are security controls?
Security controls are parameters implemented to protect various forms of data and infrastructure important to an organization. Any type of safeguard or countermeasure used to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets is considered a security control.
Given the growing rate of cyberattacks, data security controls are more important today than ever. According to a Clark School study at the University of Maryland, cybersecurity attacks in the U.S. now occur every 39 seconds on average, affecting one in three Americans each year; 43% of these attacks target small businesses. Between July 2018 and April 2019, the average cost of a data breach in the United States was USD 8.2 million.
At the same time, data privacy regulations are growing, making it critical for businesses to shore up their data protection policies or face potential fines. The European Union implemented its strict General Data Protection Regulation (GDPR) rules last year. In the U.S., California’s Consumer Privacy Act is set to take effect January 1, 2020, with several other states currently considering similar measures.
These regulations typically include stiff penalties for companies that do not meet requirements. For example, Facebook recently reported it anticipates a fine of more than USD 3 billion from the U.S. Federal Trade Commission for shortcomings around data protection policies that led to several data breaches.
Types of security controls
There are several types of security controls that can be implemented to protect hardware, software, networks, and data from actions and events that could cause loss or damage. For example:
- Physical security controls include such things as data center perimeter fencing, locks, guards, access control cards, biometric access control systems, surveillance cameras, and intrusion detection sensors.
- Digital security controls include such things as usernames and passwords, two-factor authentication, antivirus software, and firewalls.
- Cybersecurity controls include anything specifically designed to prevent attacks on data, including DDoS mitigation, and intrusion prevention systems.
- Cloud security controls include measures you take in cooperation with a cloud services provider to ensure the necessary protection for data and workloads. If your organization runs workloads on the cloud, you must meet their corporate or business policy security requirements and industry regulations.
Security control frameworks and best practices
Systems of security controls, including the processes and documentation defining implementation and ongoing management of these controls, are referred to as frameworks or standards.
Frameworks enable an organization to consistently manage security controls across different types of assets according to a generally accepted and tested methodology. Some of the best-known frameworks and standards include the following:
National Institute of Standards and Technology Cyber Security Framework
The National Institute of Standards and Technology (NIST) created a voluntary framework in 2014 to provide organizations with guidance on how to prevent, detect, and respond to cyberattacks. The assessment methods and procedures are used to determine if an organization’s security controls are implemented correctly, operate as intended, and produce the desired outcome (meeting the security requirements of the organization). The NIST framework is consistently updated to keep pace with cybersecurity advances.
Center for Internet Security controls
The Center for Internet Security (CIS) developed a list of high-priority defensive actions that provide a “must-do, do-first” starting point for every enterprise looking to prevent cyberattacks. According to the SANS Institute, which developed the CIS controls, “CIS controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners.”
Organization can refer to these and other frameworks to develop their own security framework and IT security policies. A well-developed framework ensures that an organization does the following:
- Enforces IT security policies through security controls
- Educates employees and users about security guidelines
- Meets industry and compliance regulations
- Achieves operational efficiency across security controls
- Continually assesses risks and addresses them through security controls
A security solution is only as strong as its weakest link. You should, therefore, consider multiple layers of security controls (which is also known as a defense-in-depth strategy) to implement security controls across identity and access management, data, applications, network or server infrastructure, physical security, and security intelligence.
Security controls assessments
A security controls assessment is an excellent first step for determining where any vulnerabilities exist. A security controls assessment enables you to evaluate the controls you currently have in place and determine whether they are implemented correctly, operating as intended, and meeting your security requirements. NIST Special Publication 800-53 was created by NIST as a benchmark for successful security control assessments. The NIST guidelines serve as a best practice approach that, when applied, can help mitigate risk of a security compromise for your organization. Alternatively, your organization can also create its own security assessment.
Some key steps for creating a security assessment include the following:
- Determine the target systems: Create a list of IP addresses required to be scanned in your network. The list should contain IP addresses of all the systems and devices connected in your organization’s network.
- Determine the target applications: List the web applications and services to be scanned. Determine the type of web application server, web server, database, third-party components, and technologies used to build existing applications.
- Vulnerability scanning and reporting: Keep network teams and IT teams informed of all assessment activity, because a vulnerability assessment can occasionally create bursts in network traffic when loading the target servers with requests. Also, obtain the unauthenticated pass-through for scanner IPs across the organization network and ensure the IPs are whitelisted in IPS/IDS. Otherwise, the scanner can trigger a malicious traffic alert, resulting in its IP being blocked.
Read more about how to assess the vulnerability of your enterprise’s applications and network by creating your own security assessment.
Security controls and IBM Cloud
IBM Cloud meets strict governmental and industry security guidelines and policies and adopts several measures for increased physical security, which means you can feel confident as you modernize your applications no matter where you are on your journey to cloud.
Take the next step:
- Discover all the ways IBM Cloud security controls help safeguard and monitor your cloud apps.
Learn more about IBM Cloud.
Get started with an IBM Cloud account today.